Admin-Guide-3 4 2

Eucalyptus 3.4.
2 Administration Guide
2014-02-23 Eucalyptus Systems

Eucalyptus | Contents | 2
Contents
Management Overview.............................................................................................5
Overview of Eucalyptus........................................................................................................................................5
Accessing Eucalyptus............................................................................................................................................5
Command Line Interface...........................................................................................................................5
Eucalyptus Administrator Console Overview...........................................................................................5
Manage Your Cloud..................................................................................................9

Cloud Overview.....................................................................................................................................................9
Networking Configuration Options.........................................................................................................10
Cloud Best Practices............................................................................................................................................12
Working with vSphere.............................................................................................................................12
Securing Your Cloud................................................................................................................................13
Configure SSL.........................................................................................................................................14
High Availability.....................................................................................................................................14
Storage Volumes......................................................................................................................................17
Caching Images on the Cluster Controller..............................................................................................18
Cloud Tasks.........................................................................................................................................................19
Inspect System Health.............................................................................................................................19
View User Resources...............................................................................................................................20
List Arbitrators........................................................................................................................................20
Change Network Configuration..............................................................................................................21
Add a Node Controller............................................................................................................................21
Migrate Instances Between Node Controllers.........................................................................................21
Remove a Node Controller......................................................................................................................22
Restart Eucalyptus...................................................................................................................................22
Shut Down Eucalyptus............................................................................................................................23
Back Up and Restore the Database.........................................................................................................25
Back Up and Restore a DASManager-Configured Storage Controller...................................................26
Disable CloudWatch................................................................................................................................26
Manage Access.........................................................................................................27
Access Overview.................................................................................................................................................27
Access Concepts......................................................................................................................................27
Policy Overview......................................................................................................................................29
LDAP/AD Integration.............................................................................................................................37
Access Tasks........................................................................................................................................................44
Use Case: Create an Administrator.........................................................................................................45
Use Case: Create a User..........................................................................................................................46
Accounts..................................................................................................................................................47
Groups.....................................................................................................................................................50
Users........................................................................................................................................................54
Credentials...............................................................................................................................................58
Synchronize LDAP/AD...........................................................................................................................59
Manage Resources...................................................................................................61
Manage Compute Resources...............................................................................................................................61
Manage Walrus Resources...................................................................................................................................61
Manage IAM Resources......................................................................................................................................61
Manage CloudWatch Resources..........................................................................................................................63
Manage ELB Resources......................................................................................................................................63
Manage Auto Scaling Resources.........................................................................................................................64
Manage Security......................................................................................................65
Security Overview...............................................................................................................................................65
Best Practices......................................................................................................................................................65
Network and Message Security...............................................................................................................65
Authentication and Access Control.........................................................................................................66
Hosts........................................................................................................................................................66
Images and Instances...............................................................................................................................67
User Console...........................................................................................................................................67
LDAP Security........................................................................................................................................68
Tasks....................................................................................................................................................................69
Congifure Managed Mode.......................................................................................................................69
Configure SSL.........................................................................................................................................69
Synchronize Components........................................................................................................................72
Configure Replay Protection...................................................................................................................72
Reserve Ports...........................................................................................................................................73
Configure the Firewall.............................................................................................................................74
Configure Session Timeouts....................................................................................................................75
Configure LDAP.....................................................................................................................................75
Manage Reporting...................................................................................................76
Reporting Overview............................................................................................................................................76
Instance Report........................................................................................................................................76
S3 Report.................................................................................................................................................77
Volume Report.........................................................................................................................................77
Snapshot Report......................................................................................................................................77
Elastic IP Report......................................................................................................................................78
Capacity Report.......................................................................................................................................78
Reporting Best Practices.....................................................................................................................................78
Reporting Tasks...................................................................................................................................................79
Reporting Tasks: CLC.............................................................................................................................79

Reporting Tasks: Data Warehouse...........................................................................................................79
Eucalyptus Commands...........................................................................................82
Eucalyptus Administration Commands...............................................................................................................82
euca_conf.................................................................................................................................................82
euca-describe-properties..........................................................................................................................84
euca-modify-property..............................................................................................................................85
euca-describe-services.............................................................................................................................86
Eucalyptus Report Commands............................................................................................................................87
Reports Commands: CLC.......................................................................................................................87
Report Commands: Data Warehouse.......................................................................................................91
Modifiable Eucalyptus Properties.......................................................................................................................94
Advanced Storage Configuration........................................................................100

EMC VNX Advanced Configuration................................................................................................................100
Configure EMC VNX Synchronous Snapshots....................................................................................100
Best Practices for Multipathing with EMC VNX..................................................................................100
Troubleshooting EMC VNX Multipathing............................................................................................101
NetApp Advanced Configuration......................................................................................................................103
NetApp Clustered Data ONTAP...........................................................................................................103
Configurable NetApp SAN Properties..................................................................................................103
Eucalyptus | Management Overview | 5
Management Overview
The section shows you how to access Eucalyptus with a web-based console and with command line tools. This section
also describes how to perform common management tasks.
This document is intended to be a reference. You do not need to read it in order, unless you are following the directions
for a particular task.
Overview of Eucalyptus
Eucalyptus is a Linux-based software architecture that implements scalable, efficiency-enhancing private and hybrid
clouds within an enterprises existing IT infrastructure. Because Eucalyptus provides Infrastructure as a Service (IaaS),
you can provision your own resources (hardware, storage, and network) through Eucalyptus on an as-needed basis.
A Eucalyptus cloud is deployed across your enterprise's on-premise data center. As a result, your organization has a full
control of the cloud infrastructure. You can implement and enforce various level of security. Sensitive data managed
by the cloud does not have to leave your enterprise boundaries, keeping data completely protected from external access
by your enterprise firewall.
Eucalyptus was designed from the ground up to be easy to install and non-intrusive. The software framework is modular,
with industry-standard, language-agnostic communication. Eucalyptus is also unique in that it provides a virtual network
overlay that isolates network traffic of different users as well as allows two or more clusters to appear to belong to the
same Local Area Network (LAN).
Eucalyptus also is compatible with Amazons EC2, S3, and IAM services. This offers you hybrid cloud capability.
Accessing Eucalyptus
There are two ways to interact with Eucalyptus. You can use the administrative command line interface for making
requests to Eucalyptus, or you can use the web-based user interface, called the Eucalyptus Administrator Console.
Tip: This guide will show both CLI and Eucalyptus Administrator Console steps for performing a task, when
the task can be performed by both methods.
Command Line Interface

Eucalyptus supports two command line interfaces (CLIs): the administration CLI and the user CLI.
The administration CLI is installed when you install Eucalyptus server-side components. The administration CLI is for
maintaining and modifying Eucalyptus.
The other user CLI, called Euca2ools, can be downloaded and installed on clients. Euca2ools are for end users and can
be used with both Eucalyptus and Amazon Web Services (AWS).
The commands used in this guide assume that the environment variables exported by a eucarc file for an administrative
Eucalyptus user have been set. For more information, see the Eucalyptus Installation Guide.
Important: If you haven't already done so, change the default password for the administration user. You can
do this using the euare-usermodloginprofile or by logging in to the Eucalyptus Administrator Console.
The first time you log in to the console, you are prompted for a new password.
Eucalyptus Administrator Console Overview

The Eucalyptus Administrator Console provides cloud administrators with a way to perform several management tasks
in a web user interface.
CC-BY-SA, Eucalyptus Systems, Inc.

The Eucalyptus Administrator Console provides Quick Links for standard administrative actions and queries. These
links, located on the left side of the screen, provide a convenient way to navigate through the Eucalyptus Administrator
Console. For example, if you click Accounts, the Eucalyptus Administrator Console displays the Accounts page, listing
all accounts in your system. Any property of a link, e.g., an account ID, displays on the right side of the screen as a link.
For more experienced users, the Eucalyptus Administrator Console provides a robust search engine. You can search for
information or tasks quickly by building your own search. Because the Eucalyptus Administrator Console is search-based,
even the Quick Links and other returned URLs from searches are themselves searches. Because each link is search,
any Eucalyptus Administrator Console link you bookmark is also a search.
So the Eucalyptus Administrator Console offers you two ways to get information: by search or by following links. To
show the member users of an account, you can click Accounts in quick links, select the account, and then click on the
Member users link in the Properties section. Or, you use the Search box and type:
user:account=<account_name>.
Signing in to the Eucalyptus Administrator Console

This section describes how to sign in to the Eucalyptus Administrator Console.
The Eucalyptus Administrator Console is web-based interface that allows you to manage your system, identities, and
resources.
To sign in to the Eucalyptus Administrator Console:
1. Open a browser window and go to https://<CLC_IP_address>:8443
Your browser displays a warning.
2. Accept the self-signed SSL certificate and continue.
The Eucalyptus sign-in page displays.
3. Enter your account name in the Account field.
For system admins, the account name is eucalyptus.
4. Enter your user name in the User field.

5. Enter your password in the Password field.
6. Click the Sign in button.
The Eucalyptus Administrator Console Start Guide page displays.
You can now use the Eucalyptus Administrator Console to manage your system, identities, and resources.
Understanding the Eucalyptus Administrator Console

This section explains the components of the Eucalyptus Administrator Console screen.
The Eucalyptus Administrator Console screen has the following areas:
Header This area includes the logo, the link to a user profile setting menu, and the big search box.
User Profile The current login user identity displays on the right side of the logo area. It shows the user name and
the account name of the user identity, in the format of
<user_name>@<account_name>
Click the profile name to display the user profile menu. The menu provides the following functions:
View/change profile: Displays the search result of the current user. In the search result page, you
can view or change your identitys profile.
View access key: Displays the search result of the current users access key.
Change password: Displays a dialog to change password.
Download new credentials: Downloads the current users credential package in a zip file.

Quick Links The left side of the Eucalyptus Administrator Console screen contains the Quick Links area. This area
provides links to various contents of the Eucalyptus Administrator Console.
The Quick Links area is organized into sections made up of two levels. The top level is a heading for
that section. Under each heading is a second section that contains a list of links. Each link is a search
query in the form of the URL. Click a link to return the associated search result. For example, Your
Keys is a search query of all the access keys belonging to you.
You can hide the Quick Links area by clicking the arrow of the vertical separator between Quick Links
and the main content area.
Main The center part of the main screen displays the main content, usually the search result list. In many
Content content displays, the Eucalyptus Administrator Console displays a toolbar that contains action buttons.
The bottom of the content area provides the page navigation controls.
The search result list usually has multiple columns, some of which are sortable. Click the title in the
column to sort the column display. If the list is too long, the Eucalyptus Administrator Console partitions
the list into multiple pages. By default, each page displays a maximum of 25 rows, but you can configure
this number.
.
When you select an item in the main content area, the Eucalyptus Administrator Console highlights the
entire row and displays the Properties area. To select multiple items, use the Ctrl key for individual
items, or the Shift key for a continuous block of items.
Properties The Properties area displays the detailed information about a selected search result item. The properties
are displayed in two columns: the property name is on the left, and the property value is on the right.
Working with the Properties area:
The Eucalyptus Administrator Console displays values of editable properties in a white input box.
If you make any changes to value, the Eucalyptus Administrator Console displays the Save button
at the bottom. Click this button to save any changed values.
Some properties are of complex types. For example, the list of member users of an account. In these
cases, the property names are displayed in hyperlinks with a magnifying glass icon. These hyperlinks
invoke a search query.
Other properties display an "action" icon. For example, Password displays a pencil icon. Click that
icon to change the password.
The Eucalyptus Administrator Console allows you to customize the displayed information in
Properties. Click the plus icon to add a new property to the display. Click the minus icon to delete
a property from the display.
Click the X next to the Properties title to hide the area.
Status The bar at the bottom of the main screen shows system status messages, log window toggle button and
the software version (from left to right).
Logs Click the LOG button on the status bar to pop up the log window. The log window records important
dashboard events, especially any operations that modify system states, e.g. adding a new account, etc.
The log windows records the latest 1024 log messages.
Using Search
This section details the Search function in the Eucalyptus Administrator Console.
Experienced users can use search box to get any information provided by the dashboard. The basic syntax of a search
is as follows:
<type>: <field1>=<value1>,<value2>
<field2>=<value1>,<value2>

The <type> specifies the information type provided by the Eucalyptus Administrator Console. Currently Eucalyptus
supports the following types:
Type Name Description Fields
start Start page None

config Service components configuration None
account Accounts name, id
group User groups account, name, id, path, user
user Users account, name, id, path, enabled,
registration, group, [custom keys...]
Users custom keys can be used as
fields.
group field means the user has
membership in that group.
policy Eucalyptus policies account, user, group, name, id,

version, text
key Access keys account, user, id, active, user
cert X509 certificates account, user, id, revoked, active
image VM images None
vmtype VM types None
report Report page None
Note: In the table, the field names in bold font means that for that field, the query evaluator does a partial match
for the value.
The minimal search query contains the type name and a colon. For example, to display the Start Guide page, you would
enter:
start:
After the colon, you enter a list of conditions, if any are accepted by the type name. Each condition has a field name
and a list of values. The field name and values are separated by an equal sign. There is no space between the field name
and value. Separate values with a comma, and don't include a space. Separate multiple conditions with a space.
To evaluate the search query, all conditions must be satisfied. For each condition, only one of the value for the field
needs to be matched. For example, to find all users in the accounts whose names contain "testaccount", and whose user
names contain "user1" or "user2", and who are enabled, enter the following:
user:account=testaccount name=user1,user2 enabled=true
After entering a search query in the search box in the header area of the main screen, press the Enter key. The search
result displays in the content area. The browser URL will also change to reflect the search. Actually, the search query
itself is part of the URL (after the pound sign). For example:
https://localhost:8443/#account:name=test
In fact, you can type a search directly in the URL box of the browser. But remember that the URL itself is URL encoded.
This also enables Eucalyptus to construct a search URL and add to any web page.

Eucalyptus | Manage Your Cloud | 9
Manage Your Cloud

After you install and intially configure Eucalyptus, there are some common adminstration tasks you can perform. This
section describes these tasks and associated concepts.
Tip: The System Management section of the Quick Links area allows you to go to the Start Guide or the
Service Components page.
Cloud Overview
This topic presents an overview of the components in Eucalyptus.
Eucalyptus is comprised of six components: Cloud Controller, Walrus, Cluster Controller, Storage Controller, Node
Controller, and an optional VMWare Broker. Each component is a stand-alone web service. This architecture allows
Eucalyptus both to expose each web service as a well-defined, language-agnostic API, and to support existing web
service standards for secure communication between its components.
Cloud The Cloud Controller (CLC) is the entry-point into the cloud for administrators, developers, project
Controller managers, and end-users. The CLC queries other components for information about resources, makes
high-level scheduling decisions, and makes requests to the Cluster Controllers (CCs). As the interface
to the management platform, the CLC is responsible for exposing and managing the underlying
virtualized resources (servers, network, and storage). You can access the CLC through command
line tools that are compatible with Amazons Elastic Compute Cloud (EC2) and through a web-based
Eucalyptus Administrator Console.
Walrus Walrus allows users to store persistent data, organized as buckets and objects. You can use Walrus
to create, delete, and list buckets, or to put, get, and delete objects, or to set access control policies.
Walrus is interface compatible with Amazons Simple Storage Service (S3). It provides a mechanism
for storing and accessing virtual machine images and user data. Walrus can be accessed by end-users,
whether the user is running a client from outside the cloud or from a virtual machine instance running
inside the cloud.
Cluster The Cluster Controller (CC) generally executes on a machine that has network connectivity to both
Controller the machines running the Node Controller (NC) and to the machine running the CLC. CCs gather
information about a set of NCs and schedules virtual machine (VM) execution on specific NCs. The
CC also manages the virtual machine networks. All NCs associated with a single CC must be in the
same subnet.
Storage The Storage Controller (SC) provides functionality similar to the Amazon Elastic Block Store (Amazon
Controller EBS). The SC is capable of interfacing with various storage systems (NFS, iSCSI, SAN devices,
etc.). Elastic block storage exports storage volumes that can be attached by a VM and mounted or
accessed as a raw block device. EBS volumes persist past VM termination and are commonly used
to store persistent data. An EBS volume cannot be shared between VMs and can only be accessed
within the same availability zone in which the VM is running. Users can create snapshots from EBS
volumes. Snapshots are stored in Walrus and made available across availability zones. Eucalyptus
with SAN support lets you use your enterprise-grade SAN devices to host EBS storage within a
Eucalyptus cloud.
Node The Node Controller (NC) executes on any machine that hosts VM instances. The NC controls VM
Controller activities, including the execution, inspection, and termination of VM instances. It also fetches and
maintains a local cache of instance images, and it queries and controls the system software (host OS
and the hypervisor) in response to queries and control requests from the CC. The NC is also responsible
for the management of the virtual network endpoint.
VMware VMware Broker (Broker or VB) is an optional Eucalyptus component activated only in versions of
Broker Eucalyptus with VMware support. Broker enables Eucalyptus to deploy virtual machines (VMs) on

VMware infrastructure elements. Broker mediates all interactions between the CC and VMware
hypervisors (ESX/ESXi) either directly or through VMware vCenter. For more information about
working with vSphere Server, see Working with vSphere.
Networking Configuration Options

All network-related options specified in /etc/eucalyptus/eucalyptus.conf use the prefix VNET_. The most commonly
used VNET options are described in the following table.
Important: If you change the value of in the eucalyptus.conf file, you must restart the Cluster Controller.
Option Description Modes
VNET_ADDRESSPERNET This option controls how many VM instances can Managed,

simultaneously be part of an individual user's security Managed (No
group. This option is set to a power of 2 (16, 24, 32, 64, VLAN)
etc,) but it should never be less than 8 and it cannot be
larger than: (the total number of available IP addresses -
2).
This option is used with VNET_NETMASK to determine
how the IP addresses that are available to VMs are
distributed among security groups. VMs within a single
security group can communicate directly. Communication
between VMs within a security group and clients or VMs
in other security groups is controlled by a set of firewall
rules. For example, setting
VNET_NETMASK="255.255.0.0"
VNET_ADDRESSPERNET="32"
defines a netmask of 255.255.0.0 that uses 16 bits of the

IP address to specify a network number. The remaining 16
bits specify valid IP addresses for that network meaning
that 2^16 = 65536 IP addresses are assignable on the
network. Setting VNET_ADDRESSPERNET="32" tells
Eucalyptus that each security group can have at most 32
VMs in it (each VM getting its own IP address). Further,
it stipulates that at most 2046 security groups can be active
at the same time since 65536 / 32 = 2048. Eucalyptus
reserves two security groups for its own use.
In addition to subnets at Layer 3, Eucalyptus uses VLANs
at Layer 2 in the networking stack to ensure isolation
(Managed mode only).
VNET_BRIDGE On an NC, this is the name of the bridge interface to which Static
instances' network interfaces should attach. A physical
System
interface that can reach the CC must be attached to this
bridge. Common setting for KVM is br0. Managed (No
VLAN)
VNET_BROADCAST, VNET_ROUTER The network broadcast and default gateway to supply to Static
instances in DHCP responses.

VNET_DHCPDAEMON The ISC DHCP executable to use. This is set to a Static

distro-dependent value by packaging. The internal default
Managed
is /usr/sbin/dhcpd3.
Managed (No
VLAN)
VNET_DHCPUSER The user the DHCP daemon runs as on your distribution. Static
For CentOS 6 and RHEL 6, this is typically root.
Managed
Default: dhcpd
Managed (No
VLAN)
VNET_DNS The address of the DNS server to supply to instances in Static

DHCP responses.
Managed
Example:
Managed (No
VNET_DNS="173.205.188.129" VLAN)
VNET_LOCALIP By default the CC automatically determines which IP Managed

address to use when setting up tunnels to other CCs. Set
Managed
this to the IP address that other CCs can use to reach this
(No-VLAN)
CC if tunneling does not work.
VNET_MACMAP A map of MAC addresses to IP addresses that Eucalyptus Static
should allocate to instances when running in Static mode.
Separate MAC addresses and IP addresses with =
characters. Separate pairs with spaces.
Example:
VNET_MACMAP="00:01:02:03:04:05=192.168.1.1
A1:A2:A3:A4:A5:A6=192.168.1.2"
VNET_MACPREFIX This option is used to specify a prefix for MAC addresses System,
generated by Eucalyptus for VM instances. The prefix has Managed,
to be in the form HH:HH where H is a hexadecimal digit. Managed (No
Example: VNET_MACPREFIX="D0:D0" VLAN)
VNET_MODE The networking mode in which to run. The same mode All
must be specified on all CCs and NCs in your cloud.
Valid values: STATIC, SYSTEM, MANAGED,
MANAGED-NOVLAN,
Default: SYSTEM
VNET_PRIVINTERFACE The name of the network interface that is on the same Static
network as the NCs. In Managed and Managed (No VLAN)
Managed
modes this must be a bridge for instances in different
clusters but in the same security group to be able to reach
one another with their private addresses.
Default: eth0

VNET_PUBINTERFACE On a CC, this is the name of the network interface that is Managed
connected to the public network.
Managed
On an NC, this is the name of the network interface that (No-VLAN)
is connected to the same network as the CC. Depending
on the hypervisor's configuration this may be a bridge or
a physical interface that is attached to the bridge.
Default: eth0
VNET_PUBLICIPS A space-separated list of individual and/or hyphenated Managed

ranges of public IP addresses to assign to instances. If you
Managed
do not set a value for this option, all instances will receive
(No-VLAN)
only private IP addresses.
Example:
VNET_PUBLICIPS=
"173.205.188.140-173.205.188.254"
VNET_SUBNET, VNET_NETMASK These options control the internal private network used by Static, Managed,
instances within Eucalyptus. Eucalyptus assigns a distinct Managed (No
subnet of private IP addresses to each security group. This VLAN)
setting dictates how many addresses each of these subnets
should contain. Specify a power of 2 between 16 and 2048.
This is directly related, though not equal, to the number of
instances that can reside in each security group. Eucalyptus
reserves eleven addresses per security group.
Cloud Best Practices

This section details Eucalyptus best practices for your private cloud.
Working with vSphere

Eucalyptus with the VMware Broker option can create and manage virtual machines on all or a subset of vSphere
infrastructure resources. This topic addresses best practices for vSphere.
Because Eucalyptus takes over the task of managing virtual machines, to avoid interfering with the operation of your
cloud, it is important to avoid performing some operations though vSphere-specific tools, such as the vSphere Client.
Conversely, because Eucalyptus does not manage vSphere hosts, network, or storage, the administrator will have to
continue using vSphere-specific tools for other operations. The following is a comprehensive, but not exhaustive list of
operations that should and should not be performed with vSphere-specific tools.
Actions that may be performed with vSphere tools at any time

vSphere management tasks that do not involve resources (VMs, hosts, networks, datastores, folders, vCenter Server
sessions, etc.) that have never been and are not being used by Eucalyptus.
Adding new resources -- hosts, networks, datastores, folders -- to vCenter. Such resources may be discovered and
used by Eucalyptus automatically, either immediately or after a VMware Broker restart, if the VMware Broker
configuration allows that (see 'discover' option in the section on configuring the VMware Broker).
While we recommend using Eucalyptus's API to manage instances, a VM created by Eucalyptus may be powered
off using vSphere Server tools. (It is not necessary to delete such a VM as Eucalyptus will delete it.)
Managing roles and permissions in ways that do not reduce privileges of Eucalyptus since the time it became active.

Changing vCenter or ESX(i) host settings that do not interfere with ongoing sessions and operations. For instance,
a license on a host utilized by Eucalyptus may be changed as long as the host remains operational.
Changing of vCenter ID or Name (see below regarding the change of IP address).
Actions that may be performed when Eucalyptus is not active (specifically, when the VMware Broker
is shut down):
Deleting the templates (VMs whose names start with 'emi-'). Those will be recreated if needed, albeit at the cost of
additional instance start-up delay. To control the space used by and the number of templates, use VMware Broker's
configuration properties vmwarebroker.vsphere_cache_limit_bytes and vmwarebroker.vsphere_cache_max_elements.
Managing roles and permissions for Eucalyptus-managed resources, as long as new roles, if any, are reflected in
VMware Broker configuration (see 'login' parameter) and as long as no Eucalyptus-created running VMs are taken
out of Eucalyptus's control.
vCenter IP address may be changed as long as VMware Broker's configuration is modified accordingly. IP addresses
of ESX hosts may be changed as long as there are no running Eucalyptus VMs on the host (furthermore, a change
of IP address may require adjustment of configuration unless the host can be discovered).
Actions to avoid with vSphere tools at all times:

Renaming, modifying the settings for, or cloning Eucalyptus-created inventory objects (the name of the top-level
folder on vCenter, VM templates, VMs). This includes changing the virtual hardware characteristics of VMs created
by Eucalyptus.
Migrating, snapshotting, and failing over VMs or templates (emi-...) created by Eucalyptus to a different host or a
different datastore with VMotion, VMware HA, or VMware DRS.
Changing default ports (80 for HTTP and 443 for HTTPS).
Securing Your Cloud

Eucalyptus components receive and exchange messages using either Query or SOAP interfaces (or both). Messages
received over these interfaces are required to have some form of a time stamp (as defined by AWS specification) to
prevent message replay attacks. Because Eucalyptus enforces strict policies when checking timestamps in the received
messages, for the correct functioning of the cloud infrastructure, it is crucial to have clocks constantly synchronized (for
example, with ntpd) on all machines hosting Eucalyptus components. To prevent user commands failures, it is also
important to have clocks synchronized on the client machines.
Following the AWS specification, all Query interface requests containing the Timestamp element are rejected as expired
after 15 minutes of the timestamp. Requests containing the Expires element expire at the time specified by the element.
SOAP interface requests using WS-Security expire as specified by the WS-Security Timestamp element.
When checking the timestamps for expiration, Eucalyptus allows up to 20 seconds of clock drift between the machines.
This is a default setting. You can change this value for the CLC at runtime by setting the
bootstrap.webservices.clock_skew_sec property as follows:
euca-modify-property -p
bootstrap.webservices.clock_skew_sec=<new_value_in_seconds>
For additional protection from the message replay attacks, the CLC implements a replay detection algorithm and rejects
messages with the same signatures received within 15 minutes.
Important: To protect against replay attacks, the CLC only caches messages for 15 minutes. So its important
that any client tools used to interact with the CLC have the Expires element set to a value less than 15 minutes
from the current time. This is usually not an issue with standard tools, such as euca2ools and Amazon EC2 API
Tools.
You can configure replay detection in the CLC to allow replays of the same message for a set time period. This might
be needed to ensure that legitimate requests submitted by automated scripts closely together (such as two requests to
describe instances issued within the same second) are not rejected as malicious. The time within which messages with

the same signatures are accepted is controlled by the bootstrap.webservices.replay_skew_window_sec

property. The default value of this property is three seconds. To change this value, enter the following command:
bootstrap.webservices.replay_skew_window_sec=<new_value_in_seconds>
If you set this property to 0, Eucalyptus will not allow any message replays. This setting provides the best protection
against message replay attacks, but may break some of the client-side scripts that issue commands too quickly.
If you set this property to any value greater than 15 minutes plus the values of ws.clock_skew_sec (that is, to a value
>= 920 sec in the default installation), Eucalyptus disables replay detection completely.
Configure SSL
In order to connect to Eucalyptus using SSL, you must have a valid certificate for the Cloud Controller (CLC). You
must also be running the Cloud Controller and Cluster Controller (CC) on separate machines.
Create a keystore
Eucalyptus uses a PKCS12-format keystore. If you are using a certificate signed by a trusted root CA, use the following
command to convert your trusted certificate and key into an appropriate format:
openssl pkcs12 -export -in [YOURCERT.crt] -inkey [YOURKEY.key] \

-out tmp.p12 -name [key_alias]
Note: this command will request an export password, which is used in the following steps.
Save a backup of the Eucalyptus keystore, at /var/lib/eucalyptus/keys/euca.p12, and then import your
keystore into the Eucalyptus keystore as follows:
keytool -importkeystore \
-srckeystore tmp.p12 -srcstoretype pkcs12 -srcstorepass [export_password] \
-destkeystore /var/lib/eucalyptus/keys/euca.p12 -deststoretype pkcs12 \
-deststorepass eucalyptus -alias [key_alias] \
-srckeypass [export_password] -destkeypass [export_password]
Enable the Cloud Controller to use this keystore

Run the following commands on the Cloud Controller (CLC):
euca-modify-property -p bootstrap.webservices.ssl.server_alias=[key_alias]
euca-modify-property -p \
bootstrap.webservices.ssl.server_password=[export_password]
Restart the CLC by running service eucalyptus-cloud restart or /etc/init.d/eucalyptus-cloud

restart
Optional: Configure the Cloud Controller and Walrus to redirect requests on port 443 to port 8773
The Cloud Controller and Walrus listen for both SSL and non-SSL connections on port 8773. If you have other tools
that expect to speak SSL on port 443, you should forward requests on that port to port 8773. For example, the following
iptables command can be used:
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8773
High Availability
This topic explains recommendations for high availability deployments.

High availability is the result of the combination of functionality provided by Eucalyptus and the environmental and
operational support to maintain the constituent systems's proper operation. Eucalyptus provides functionality aimed at
enabling highly available operation:
Detection of service faults and monitoring of system health: gather service status, determine current service topology,
admit requests which can be satisfied using only healthy services in that topology
Tools for interrogating the system's health: access to service state information
Error gathering to aid in determining the cause: access to fault information as it impacts service function
Automated failover when redundant services are configured: removal of faulty services and enabling of healthy
services
Service state control: ability to remove individual component-services (when configured with HA pair) from operation
without disrupting service
Replacement/restoration of component-services: procedures for restoring/replacing a component service after a
total-loss failure (e.g., disk failure, host combustion, etc.)
In addition to previously detailed deployment recommendations, delivering highly available services with Eucalyptus
depends on appropriate operational and maintenance support. The following sections detail the related system functionality
and procedures.
Understanding Service State

The system monitors service health and enables healthy services to process user requests while marking faulty services
as being NOTREADY. Each component service is interrogated by the system to determine its current state. Faults are
detected either:
The service reporting a fault has been detected (for example, due to misconfiguration, dependency service failure,
environmental fault, etc.)
Failure to contact the service
The following table overviews the relevant states
State Operational In use by system Description
ENABLED Yes Yes Service is operating correctly

and is selected for processing
requests
DISABLED Yes No Service is operating correctly
but is not selected for
processing requests
NOTREADY No No Service is failing to operate
correctly
BROKEN No No Service is not contactable by
the system
STOPPED N/A No Service has been stopped by
an administrator
The following diagram indicates the set of relevant states and transitions between them. Black arrows indicate a transition
between states that is initiated by the system or an administrator request. Red errors indicate a failure to transition into
the originating state that results in a transition to the destination error state.

Based on the collected service state, the system will:

Attempt to advance previously non-functioning services to a functional state
Determine whether any functioning services can be ENABLED and added to the set used for serving requests
On the Cloud Controller host, with eucalyptus admin credentials loaded, run euca-describe-services to see
up-to-date service information including the state of each service as described in the above table.
Understanding System Availability

The impact of a service fault on the system's availability depends upon the deployment and configuration of the system.
The following table details the scope a service fault can have on system availability for each component type.
Component Scope (Fault Region) Description
Cloud Controller Cloud The CLC is a cloud-wide service and

must have at least one operation
service.
Walrus Cloud Walrus is a cloud-wide service and
must have at least one operation
service.
Cluster Controller Availability Zone CCs are associated with a partition and
service requests specific to an
availability zone. Should an availability
zone not have an operational CC,
instance requests will be rejected for
the corresponding zone.
Storage Controller Availability Zone Storage controllers are associated with
a partition and service requests specific
to an availability zone. Should an
availability zone not have an
operational storage controller volume
and snapshot creation requests will be
rejected for the corresponding zone

Component Scope (Fault Region) Description
VMware Broker Availability Zone VMware Broker are associated with a

partition and service requests specific
to an availability zone. Should an
availability zone not have an
operational VMware Broker instance
requests will be rejected for the
corresponding zone
Arbitrators User-facing Service Host Arbitrators are associated with a host
that runs user-facing component
services (CLC, Walrus). Each host
must have an operational Arbitrator.
Should a component service host have
a configured but faulty Arbitrator, a
fail-stop condition occurs and locally
hosted services report a NOTREADY
error.
Node Controller Compute Host NCs are associated with each node and
interact with the hypervisor to service
node-specific requests.
A quick way to evaluate system availability is to determine whether:

The cloud has an enabled CLC
The cloud has an enabled Walrus
The availability zone has an enabled CC
The availability zone has an enabled SC
The user-facing service host has one reachable Arbitrator per host (if you configure an Arbitrator)
Storage Volumes
Eucalyptus manages storage volumes for your private cloud. Volume management strategies are application specific,
but this topic includes some general guidelines.
When setting up your Storage Controller, consider whether performance (bandwidth and latency of read/write operations)
or availability is more important for your application. For example, using several smaller volumes will allow snapshots
to be taken on a rolling basis, decreasing each snapshot creation time and potentially making restore operations faster
if the restore can be isolated to a single volume. However, a single larger volume allows for faster read/write operations
from the VM to the storage volume.
An appropriate network configuration is an important part of optimizing the performance of your storage volumes. For
best performance, each Node Controller should be connected to a distinct storage network that enables the NC to
communicate with the SC or SAN, without interfering with normal NC/VM-instance network traffic.
Eucalyptus includes configurable limits on the size of a single volume, as well as the aggregate size of all volumes on
an SC. The SC can push snapshots from the SAN device, where the volumes reside, to Walrus, where the snapshots
become available across multiple clusters. Smaller volumes will be much faster to snapshot and transfer, whereas large
volumes will take longer. However, if many concurrent snapshot requests are sent to the SC, operations may take longer
to complete.
Although an SC can manage an arbitrary number of volumes, intermittent issues have been reported with some hypervisors
when attaching more than 16 volumes to a single NC. Where possible, limiting the number of volumes to no more than
16 per NC is advisable.
EBS volumes are created from snapshots on the SC or SAN, after the snapshot has been downloaded from Walrus to
the device. Creating an EBS volume from a snapshot on the same cluster as the source volume of the snapshot will
reduce delays caused by having to transfer snapshots from Walrus.

Caching Images on the Cluster Controller

To reduce calls to Walrus, Eucalyptus provides a means for images, including ramdisk and kernel images, to be cached
on a cluster controller (CC).
If this feature is enabled, when Eucalyptus starts an instance, it will first look for the instance image in the CC image
cache location. If the image is not found in the CC image cache, it will be loaded from Walrus, and stored in the cache
if space is available.
1. Edit /var/eucalyptus/eucalyptus.conf as follows:
a) Uncomment the CC_IMAGE_PROXY line and specify the IP of the CC host on which to cache images.
# Set this to make the CC cache images, kernels and ramdisks. NCs must
# be able to reach the CC with the specified value.
CC_IMAGE_PROXY="192.168.0.100"
b) Set CC_IMAGE_PROXY_PATH to point to the location of the image cache.
# Set this to the location where the CC image proxy should store cached
# images. The default is /var/lib/eucalyptus/dynserv/
CC_IMAGE_PROXY_PATH="/disk1/storage/cc_cache"
c) Set CC_IMAGE_PROXY_CACHE_SIZE to the maximum size of the image cache.
# Set this to the maximum size (in megabytes) of the CC image proxy cache.
# The default is 32768, or 32 gigabytes.
CC_IMAGE_PROXY_CACHE_SIZE="32768"
Important: Setting CC_IMAGE_PROXY_CACHE_SIZE to 0 will cause any attempts to create an

instance from an uncached image to remain pending indefinitely. To disable image caching, comment
out the CC_IMAGE_PROXY line.
2. Create a data directory at the location specified in CC_IMAGE_PROXY_PATH, and give the eucalyptus user full
access to the directory.
mkdir -p /disk1/storage/cc_cache/data
chmod -R 777 /disk1/storage/cc_cache
3. Perform a restart of the cluster controller.

Important: A restart should only be performed when no instances are running, or when instance service
interruption can be tolerated. A restart causes the CC to reset its networking configuration, regardless of
whether or not it is in use. A restart of a CC in Managed and Managed (NoVLAN) modes that is managing
active VMs can cause a temporary loss of network connectivity until the CC relearns the network topology
and rebuilds the IP table entries.
service eucalyptus-cc restart

Cloud Tasks
This section contains a listing of your Eucalyptus cloud-related tasks.
Inspect System Health

Eucalyptus provides access to the current view of service state and the ability to manipulate the state. You can inspect
the service state to either ensure system health or to identify faulty services. You can modify a service state to maintain
activities and apply external service placement policies.
View Service State

Use the euca-describe-services command to view the service state. The output indicates:
Component type of the service
Partition in which the service is registered
Unique name of the service
Current view of service state
Last reported epoch (this can be safely ignored)
Service URI
Fully qualified name of the service (This is needed for manipulating services that did not get unique names during
registration. For example: internal services like reporting or DNS)
The default output includes the services that are registered during configuration, as well as information about the DNS
service, if present. You can obtain additional service state information, such as internal services, by providing the
-system-internal flag.
You can also make requests to retrieve service information that is filtered by either:
current state (for example, NOTREADY)
host where service is registered
partition where service is registered
type of service (for example, CC or Walrus)
When you investigate service failures, you can specify -events to return a summary of the last fault. You can retrieve
extended information (primarily useful for debugging) by specifying -events -events-verbose.
Heartbeat Service
http://CLCIPADDRESS:8773/services/Heartbeat provides a list of components and their respective
statuses. This allows you to find out if a service is enabled without requiring cloud credentials.
Modify Service State

To modify a service:
Enter the following command on the CLC, Walrus, SC, or VMWareBroker machines:
eucalyptus-cloud stop
On the CC, use the following command:
eucalyptus-cc stop
If, for example, you have SCs that are correctly configured and operating in HA mode. However, you
want to shut down the primary SC for maintenance. The primary SC is SC00 and the secondary SC
is SC01. SC00 is ENABLED and SC01 is DISABLED.

To stop SC00 and cause SC01 to take over, you would enter the following command on SC00:
To check status of services, you would enter:
euca-describe-services
When SC01 starts, the eucalyptus-cloud process on the host that SC00 is shutdown and maintenance
tasks can be performed. When maintenance is complete, you can start the eucalyptus-cloud process
on SC00. SC00 will enter the DISABLED state by default. You can chose to let SC01 continue to
be the primary and SC00 will be the secondary.
If you want to designate SC00 as the primary, make sure no volumes or snapshots are being created
and that no volumes are being attached or detached, and then enter on SC01:
Monitor the state of services using euca-describe-services until SC01 is marked DISABLED
and SC00 is ENABLED.
View User Resources

To see resource use by your cloud users, Eucalyptus provides the following commands with the -verbose flag.
euca-describe-groups verbose: Returns information about security groups in your account, including
output type identifier, security group ID, security group name, security group description, output type identifier,
account ID of the group owner, name of group granting permission, type of rule, protocol to allow, start of port
range, end of port range, source (for ingress rules) or destination (for egress rules), and any tags assigned to the
security group.
euca-describe-instances verbose: Returns information about your instances, including output type
identifier, reservation ID, name of each security group the instance is in, output type identifier, instance ID for each
running instance, EMI ID of the image on which the instance is based, public DNS name associated with the instance
(for instances in the running state), private DNS name associated with the instance (for instances in running state),
instance state, key name, launch index, instance type, launch time, availability zone, kernel ID, ramdisk ID, monitoring
state, public IP address, private IP address, type of root device (ebs or instance-store), placement group the cluster
instance is in, virtualization type (paravirtual or hvm), any tags assigned to the instance, hypervisor type, block device
identifier for each EBS volume the instance is using, along with the device name, the volume ID, and the timestamp.
euca-describe-keypairs verbose: Returns information about key pairs available to you, including keypair
identifier, keypair name, and private key fingerprint.
euca-describe-snapshots verbose: Returns information about EBS snapshots available to you, including
snapshot identifier, ID of the snapshot, ID of the volume, snapshot state (pending, completed, error), timestamp
when snapshot initiated, percentage of completion, ID of the owner, volume sized, description, and any tags assigned
to the snapshot.
euca-describe-volumes verbose: Describes your EBS volumes, including volume identifier, volume ID,
size of the volume in GiBs, snapshot from which the volume was created, availability zone, volume state (creating,
available, in-use, deleting, deleted, error), timestamp of the volume creation, and any tags assigned to the volume.
List Arbitrators
To see a list a arbitrators running on your cloud, perform the steps listed in this topic.
Enter the following command to display Arbitrators for the current CLC or Walrus:
/usr/sbin/euca-describe-services --system-internal

Enter the following command to display Arbitrators on both primary and secondary CLCs or Walruses:
/usr/sbin/euca_conf --list-arbitrators
Change Network Configuration

You might want to change the original network configuration of your cloud. To change your network configuration,
perform the tasks listed in this topic.
1. Log in to the CLC and open the /etc/eucalyptus/eucalyptus.conf file.
2. Navigate to the Networking Configuration section and make your edits.
3. Save the file.
4. Restart the Cluster Controller.
Add a Node Controller

If you want to increase your systems capacity, youll want to add more Node Controllers (NCs).
To add an NC, perform the following tasks:
Note:
To add an ESXi host as a node controller, please see Re-generating VMWare Broker configuration in the
Installation Guide's Configuring VMWare Support section.
Caution: By default, the node controller uses the filesystem to perform key injection. This is potentially an
unsafe practice. To disable key injection, set DISABLE_KEY_INJECTION=1 in eucalyptus.conf.
1. Log in to the CLC and enter the following command:
/usr/sbin/euca_conf --register-nodes \ "[Node1_IP]; ...

[NodeN_IP];"
2. When prompted, enter the password to log into each node.

Eucalyptus requires this password to propagate the cryptographic keys.
Migrate Instances Between Node Controllers

In order to ensure optimal system performance, or to perform system maintenance, it is sometimes necessary to move
running instances between Node Controllers (NCs). You can migrate instances individually, or migrate all instances
from a given NC.
Important: For migrations to succeed, you must have INSTANCE_PATH set to the same value in the
eucalyptus.conf file on each Node Controller.
To migrate a single instance to another NC, enter the following command:
euca-migrate-instances -i [instance_id]
You can also optionally specify --dest=[destination NC IP] or --exclude-dest=[excluded NC

IP], to ensure that the instance is migrated to one of the specified Node Controllers, or to avoid migrating the
instance to any of the specified Node Controllers. These flags may be used more than once to specify multiple Node
Controllers.

To migrate all instances away from a Node Controller, enter the following command:
euca-migrate-instances --source=[NC IP]
You can also optionally specify --stop-source, to stop the specified Node Controller and ensure that no new
instances are started on that NC while the migration occurs. This allows you to safely remove the NC without
interrupting running instances. The NC will remain in the DISABLED state until it is explicitly enabled using
euca-modify-service -s start [NC IP].
In some cases, timeouts may cause a migration to initially fail. Run the command again to complete the migration.
Remove a Node Controller

Describes how to delete NCs in your system.
If you want to decrease your systems capacity, youll need to decrease NC servers. To delete an NC, perform the
following tasks.
Log in to the CC and enter the following command:
/usr/sbin/euca_conf --deregister-nodes "<nodeName1> ... <nodeNameN>"
Restart Eucalyptus
Describes the recommended processes to restart Eucalyptus, including terminating instances and restarting Eucalyptus
components.
You must restart Eucalyptus whenever you make a physical change (e.g., switch out routers), or edit the eucalyptus.conf
file. To restart Eucalyptus, perform the following tasks in the order presented.
Tip: Before you restart Eucalyptus, we recommend that you notify all users that you are terminating all instances.
Shut Down All Instances

To terminate all instances on all NCs perform the steps listed in this topic.
To terminate all instances on all NCs:
Enter the following command:
euca-terminate-instances <instance_id>
Restart the CLC

Log in to the CLC and enter the following command:
service eucalyptus-cloud restart
All Eucalyptus components on this server will restart.
Restart Walrus
Log in to Walrus and enter the following command:

Restart the CC
Log in to the CC and enter the following command:
Restart the SC
Log in to the SC and enter the following command:
Restart an NC
To restart an NC perform the steps listed in this topic.
1. Log in to the NC and enter the following command:
service eucalyptus-nc restart
2. Repeat for each NC.
You can automate the restart command for all of your NCs. Store a list of your NCs in a file called
nc-hosts that looks like:
nc-host-00
nc-host-01
...
nc-host-nn
To restart all of your NCs, run the following command:
cat nc-hosts | xargs -i ssh root@{} service eucalyptus-nc restart
Shut Down Eucalyptus

Describes the recommended processes to shut down Eucalyptus.
There may be times when you need to shut down Eucalyptus. This might be because of a physical failure, topological
change, backing up, or making an upgrade. We recommend that you shut down Eucalyptus components in the reverse
order of how you started them. To stop the system, shut down the components in the order listed.
Tip: Before you shut Eucalyptus down, we recommend that you notify all users that you are terminating all
instances.
Shut Down All Instances

To terminate all instances on all NCs perform the steps listed in this topic.
To terminate all instances on all NCs:
euca-terminate-instances <instance_id>
Shut Down the NCs

To shut down the NCs perform the steps listed in this topic.

To shut down the NCs:

1. Log in as root to a machine hosting an NC.
2. Enter the following command:
service eucalyptus-nc stop
3. Repeat for each machine hosting an NC.
Shut Down the CCs

To shut down the CCs:
1. Log in as root to a machine hosting a CC.
service eucalyptus-cc stop
3. Repeat for each machine hosting a CC.
Shut Down the Broker

If your system uses the optional Broker component of Eucalyptus, shut it down by performing the steps listed in this
topic.
:
1. Log in as root to the machine running both the CC and the VMware Broker.
service eucalyptus-cloud stop
Tip: The eucalyptus-cloud stop command also shuts down a CLC, Walrus, and SC components
co-located with the CC and VMware Broker to stop at the same time, in the correct order.
Shut Down the SCs

To shut down the SC:
1. Log in as root to the physical machine that hosts the SC.
3. Repeat for any other machine hosting an SC.
Shut Down Walrus

To shut down Walrus:
1. Log in as root to the physical machine that hosts Walrus.
Shut Down the CLC

To shut down the CLC:

1. Log in as root to the physical machine that hosts the CLC.

Back Up and Restore the Database

To back up and restore the database follow the steps listed in this topic.
1. Extract the Eucalyptus PostgreSQL database cluster into a script file.
pg_dumpall --oids -c -h/var/lib/eucalyptus/db/data -p8777 -Uroot

-f~/eucalyptus_pg_dumpall-backup.sql
2. Back up the keys directory.
tar -czvf /var/lib/eucalyptus/keys ~/eucalyptus-keysdir.tgz
3. Stop the CLC service.
/etc/init.d/eucalyptus-cloud stop
4. Remove traces of the old database.
rm -rf /var/lib/eucalyptus/db
5. Re-initialize the database structure.
euca_conf --initialize
6. Start the database manually.
su eucalyptus -c "/usr/pgsql-9.1/bin/pg_ctl start -w \

-s -D/var/lib/eucalyptus/db/data -o '-h0.0.0.0/0 -p8777 -i'"
7. Restore the backup.
psql -U root -d postgres -p 8777 -h /var/lib/eucalyptus/db/data -f

~/eucalyptus_pg_dumpall-backup.sql
8. Restore the keys.
tar -xvf ~/eucalyptus-keysdir.tgz -C /
9. Stop the database manually.
su eucalyptus -c "/usr/pgsql-9.1/bin/pg_ctl stop -D/var/lib/eucalyptus/db/data"
10. Start CLC service
/etc/init.d/eucalyptus-cloud start

Back Up and Restore a DASManager-Configured Storage Controller

Backup a DASManager-Configured Storage Controller
To backup a DASManager-configured storage controller:
1. Perform a database backup as described in Back Up and Restore the DatabaseBack Up and Restore the Database.
2. Backup LVN metadata:
a) Store the output of the vgdisplay, pvdisplay, and lvdisplay settings for Eucalyptus volumes. For this example,
$dasdevice is the value configured for the SC, which can be discovered with the following command:
euca-describe-properties <partition>.storage.dasdevice
If the return value is an LVM volume group, then the following example will work. If it is a raw disk, then
Eucalyptus SC will have created a Volume Group with a name like: "euca-vg-abcd123", use that value for
$dasdevice.
pvdisplay -C >> $backup_dir/das_backup && vgdisplay $dasdevice -C >>

$backup_dir/das_backup && lvdisplay $dasdevice -C >> $backup_dir/das_backup
3. Note: You must have enough disk space to store copies of all your volumes.
Save the content of each volume into a backup file. For example:
for vol in 'lvdisplay $dasdevice -C | awk '/euca/ {print $1}'`; do echo $vol
; dd if=$dasdevice/$vol of=$backup_dir/$vol bs=1M; done
4. Copy all snapshot files from $EUCALYPTUS/var/lib/eucalyptus/volumes/ to your backup directory. For example:
cp $EUCALYPTUS/var/lib/eucalyptus/volumes/snap-* $backup_dir/
Restore a DASManager-Configured Storage Controller

Restore instructions go here.
TBD
TBD
Disable CloudWatch
To disable CloudWatch, run the following command.
<partition>.cloudwatch.disable_cloudwatch_service=true

Eucalyptus | Manage Access | 27
Manage Access
Eucalyptus manages access control through an authentication, authorization, and accounting system. This system manages
user identities, enforces access controls over resources, and provides reporting on resource usage as a basis for auditing
and managing cloud activities.
The user identity organizational model and the scheme of authorizations used to access resources are based on and
compatible with the AWS Identity and Access Management (IAM) system, with some Eucalyptus extensions provided
that support ease-of-use in a private cloud environment.
You can also perform user authentication by integrating Eucalyptus with an existing LDAP or Active Directory. In this
case, the user, group and account information, and Eucalyptus Administrator Console login authenticate using the
LDAP/AD service. This information cannot be changed from Eucalyptus side when LDAP/AD integration is turned on.
However, other Eucalyptus-specific information about user, group and account is still stored within the local database
of Eucalyptus, including certificates, secret keys and attached policies.
For more information about synchronizing an existing LDAP or Active Directory with Eucalyptus, see LDAP/AD
Integration.
Access Overview
The Eucalyptus design of user identity and access management provides layers in the organization of user identities.
This gives you refined control over resource access. Though compatible with the AWS IAM, there are also a few
Eucalyptus-specific extensions that meet the needs of enterprise customers.
Access Concepts
This section describes what Eucalyptus access is and what you need to know about it so that you can configure access
to your cloud.
User Identities
In Eucalyptus, user identities are organized into accounts. An account is the unit of resource usage accounting, and also
a separate namespace for many resources (security groups, key pairs, users, etc.).
Accounts are identified by either a unique ID (UUID) or a unique name. The account name is like IAMs account alias.
It is used to manipulate accounts. However, for AWS compatibility, the EC2 commands often use account ID to display
resource ownership.
There are command line tools to discover the correspondence of account ID and account name. For example,
euare-accountlist lists all the accounts with both their IDs and names.
An account can have multiple users, but a user can only be in one account. Within an account, users can be associated
with Groups. Group is used to attach access permissions to multiple users. A user can be associated with multiple groups.
Because an account is a separate name space, user names and group names have to be unique only within an account.
Therefore, user X in account A and user X in account B are two different identities.
Both users and groups are identified by their names, which are unique within an account (they also have UUIDs, but
are rarely used).
Special Identities
Eucalyptus has two special identities for the convenience of administration and use of the system.
The eucalyptus account: Each user in the eucalyptus account has unrestricted access to all of the cloud's resources,
similar to the superuser on a typical Linux system. These users are often referred to as system administrators or cloud
administrators. This account is automatically created when the system starts for the first time. You cannot remove
the eucalyptus account from the system.

The admin user of an account: Each account, including the eucalyptus account, has a user named admin. This user
is created automatically by the system when an account is created. The admin of an account has full access to the
resources owned by the account. You can not remove the admin user from an account. The admin can delegate
resource access to other users in the account by using policies.
Credentials
This topic describes the different types of credentials used by Eucalyptus.
Each user has a unique set of credentials. These credentials are used to authenticate access to resources. There are three
types of credentials:
An X.509 certificate is used to authenticate requests to the SOAP API service.
A secret access key is used to authenticate requests to the REST API service.
A login password is used to authenticate the Eucalyptus Administrator Console access.
You can manage credentials using the command line tools (the euare- commands) or the Eucalyptus Administrator
Console. For more information about the command line tools, see the Euca2ools Reference Guide.
In IAM, each account has its own credentials. In Eucalyptus, the equivalent of account credentials are the credentials
of admin user of the account.
You can download the full set of credentials for a user or an account, including X509 certificate and secret access key,
by:
/usr/sbin/euca_conf --get-credentials
or:
euca-get-credentials
or by using the Download new credentials in the Eucalyptus Administrator Console.

Whichever way you request the credentials, Eucalyptus returns the following:
An arbitrary existing active secret access key
A newly generated X509 certificate
Account Creation
This topic describes the process for creating an account.
You can create accounts two ways:
Direct creation using command line tool or Eucalyptus dashboard by sys admin. The accounts created in this method
will be available for accessing immediately.
Registration process. One can apply for an account through the dashboard. The process is as follows:
1. The cloud user registers using the form on the dashboard interface.
2. An email will then be sent to the sys admin for review. Sys admin can approve or reject the application by invoking
a URL included in the email. A notification email will be sent to the intended account owner.
3. If the application is approved, the account owner needs to invoke the URL included in the notification email to
confirm the approval.
4. Once confirmed, the new account becomes available.
The account registration status can be found in Eucalyptus Administrator Console. The account registration status is
actually associated with the account admin user. That means you can use the following command to obtain the same
information:
euare-usergetattributes --as-account account -u admin --show-extra
Where the --show-extra option displays extra information of a user in the following order:

Enabled status
Registration status
Password expires
The account registration status has the following values based on the status of registration process: REGISTERED,
APPROVED, or CONFIRMED. An account that is not confirmed cannot be used or accessed. The system administrator
can manipulate the account registration status in both dashboard and command line:
euare-usermod --as-account account -u admin --reg-status=status
The command line manipulation of the registration status does not send the notification emails. Unless you are experienced,
we recommend that you use the Eucalyptus Administrator Console.
Special User Attributes

Eucalyptus extends the IAM model by providing the following extra attributes for a user.
Registration status: This is only meaningful for the account administrator (that is, the account level).
Enabled status: . Use this attribute to temporarily disable a user.
Password expiration date
Custom information: Add any name-value pair to a users custom information attribute. This is useful for attaching
pure text information, like an address, phone number, or department. This is especially helpful with external LDAP
or Active Directory services.
You can retrieve and modify the registration status, enabled status, and password expiration date using the
euare-usergetattributes and euare-usermod commands. You can retrieve and modify custom information
using euare-usergetinfo and euare-userupdateinfo commands. For more information, see the Euca2ools
Reference Guide for details about these commands.
Policy Overview
Eucalyptus uses the policy language to specify user level permissions as AWS IAM. Policies are written in JSON. Each
policy file can contain multiple statements, each specifying a permission.
A permission statement specifies whether to allow or deny a list of actions to be performed on a list of resources, under
specific conditions.
A permission statement has the following components:
Effect: Begins the decision that applies to all following components. Either: Allow or Deny
Action or NotAction: Indicates service-specific and case-sensitive commands. For example:
ec2:RunInstances
Resource or NotResource: Indicates selected resources, each specified as an Amazon resource name (ARN). For
example: arn:aws:s3:::acme_bucket/blob
Condition: Indicates additional constraints of the permission. For example: "DateGreaterThan"
The following policy example contains a statement that gives a user with full permission. This is the same access as the
account administrator:
{
"Version":"2011-04-01",
"Statement":[{
"Sid":"1",
"Effect":"Allow",
"Action":"*",
"Resource":"*"
}]
}
For more information about policy language, go to the IAM User Guide.

Policy Notes
You can combine IAM policies with account level permissions. For example, the admin of account A can give users in
account B permission to launch one of account As images by changing the image attributes. Then the admin of account
B can use IAM policy to designate the users who can actually use the shared images.
You can attach IAM policies to both users and groups. When attached to groups, a policy is equivalent to attaching the
same policy to the users within that group. Therefore, a user might have multiple policies attached, both policies attached
to the user, and policies attached to the group that the user belongs to.
Do not attach IAM policies (except quota policies, a Eucalyptus extension) to account admins. At this point, doing so
wont result in a failure but may have unexpected consequences.
Policy Extensions
Eucalyptus extends the IAM policy in order to meet the needs of enterprise customers.
EC2 Resource
In IAM, you cannot specify EC2 resources in a policy statement except a wildcard,*. So, you can't restrict a permission
to specific EC2 entities. For example, you can't restrict a user to run instances on a specific image or VM type. To solve
that, Eucalyptus created the EC2 resource for the policy language. The following example shows the ARN of an EC2
resource.
arn:aws:ec2::<account_id>:<resource_type>/<resource_id>
Where account id is optional.

Eucalyptus supports the following resource types for EC2:
image
securitygroup
address (either an address or address range: 192.168.7.1-192.168.7.255)
availabilityzone
instance
keypair
volume
snapshot
vmtype
The following example specifies permission to launch instances with only an m1.small VM type:
{
"Version":"2011-04-01",
"Statement":[{
"Sid":"2",
"Effect":"Allow",
"Action":"ec2:RunInstances",
"Resource": [
"arn:aws:ec2:::vmtype/m1.small",
"arn:aws:ec2:::image/*",
"arn:aws:ec2:::securitygroup/*",
"arn:aws:ec2:::keypair/*",
"arn:aws:ec2:::availabilityzone/*",
"arn:aws:ec2:::instance/*"
]
}]
}

Policy Key
Eucalyptus implements the following AWS policy keys:
aws:CurrentTime
aws:SourceIp
Eucalyptus extends the policy keys by adding the following to the lifetime of an instance:
ec2:KeepAlive: specifies the length of time (in seconds) that an instance can run
ec2:ExpirationTime: specifies the expiration time (in seconds) for an instance
The following example restricts an instance running time to 24 hours:
{
"Version":"2011-04-01",
"Statement":[{
"Sid":"3",
"Effect":"Allow",
"Resource":"*",
"Condition":{
NumericEquals:{
ec2:KeepAlive:1440
}
}
}]
}
If there are multiple ec2:KeepAlive or ec2:ExpirationTime keys that match a request, Eucalyptus chooses
the longer lifetime for the instance to run.
Default Permissions
Different identities have different default access permissions. When no policy is associated with them, these identities
have the permission listed in the following table.
Identity Permission
System admin Access to all resources in the system

Account admin Access to all account resources, including those shared
resources from other accounts like public images and shared
snapshots
Regular user No access to any resource
For convenience, Eucalyptus grants the following default access to regular users:
Users can list themselves (euare-userlistbypath)
Users can get their own attributes (euare-usergetattributes)
Users can get information about themselves (euare-usergetinfo)
Users can list their own accounts (euare-accountlist)
Account admininstrators have the following default permissions:
euare-accountlistpolicies
euare-accountgetpolicy
Quotas
Eucalyptus adds quota enforcement to resource usage. To avoid introducing another configuration language into
Eucalyptus, and simplify the management, we extend the IAM policy language to support quotas.

The only addition added to the language is the new limit effect. If a policy statements effect is limit, it is a
quota statement.
A quota statement also has action and resource fields. You can use these fields to match specific requests, for example,
quota only being checked on matched requests. The actual quota type and value are specified using special quota keys,
and listed in the condition part of the statement. Only condition type NumericLessThanEquals can be used
with quota keys.
Important: An account can only have a quota policy. Accounts can only accept IAM policies where Effect is
"Deny" or "Limit". If you attach an IAM policy to an account where the Effect is "Allow", you will get unexpected
results.
The following quota policy statement limits the attached user to only launch a maximum of 16 instances in an account.
{
"Version":"2011-04-01",
"Statement":[{
"Sid":"4",
"Effect":"Limit",
"Resource":"*",
"Condition":{
NumericLessThanEquals:{
ec2:quota-vminstancenumber:16
}
}
}]
}
You can attach quotas to both users and accounts, although some of the quotas only apply to accounts. Quota attached
to groups will take no effect.
When a quota policy is attached to an account, it actually is attached to the account administrator user. Since only system
administrator can specify account quotas, the account administrator can only inspect quotas but can't change the quotas
attached to herself.
The following is all the quota keys implemented in Eucalyptus:
Quota Key Description Applies to
s3:quota-bucketnumber Number of S3 buckets account and user

s3:quota-bucketobjectnumber Number of objects in each bucket, account and user
s3:quota-bucketsize Size of bucket, in MB account and user
s3:quota-buckettotalsize total size of all buckets, in MB account and user
ec2:quota-addressnumber Number of elastic IPs account and user
ec2:quota-imagenumber Number of EC2 images account and user
ec2:quota-snapshotnumber Number of EC2 snapshots account and user
ec2:quota-vminstancenumber Number of EC2 instances account and user
ec2:quota-volumenumber Number of EC2 volumes account and user
ec2:quota-volumetotalsize Number of total volume size, in GB account and user
iam:quota-groupnumber Number of IAM groups account
iam:quota-usernumber Number of IAM users account

Default Quota
Contrary to IAM policies, by default, there is no quota limits (except the hard system limit) on any resource allocations
for a user or an account. Also, system administrators are not constrained by any quota. Account administrators are only
be constrained by account quota.
Algorithms
This topic describes the algorithms used by Eucalyptus to determine access.
Policy Evaluation Algorithm

You can associated multiple policies and permission statements with a user. The way these are combined together to
control the access to resources in an account is defined by the policy evaluation algorithm. Eucalyptus implements the
same policy evaluation algorithm as AWS IAM:
1. If the request user is account admin, access is allowed.
2. Otherwise, collect all the policy statements associated with the request user (attached to the user and all the groups
the user belongs to), which match the incoming request (i.e. based on the API being invoked and the resources it is
going to access).
a. If there is no matched policy statement, access is denied (default implicit deny).
b. Otherwise, evaluate each policy statement that matches.
If there is a statement that explicitly denies the access, the request is denied.
If there is no explicit deny, which means there is at least one explicit allow, access is allowed.
Access Evaluation Algorithm

Now we give the overall access evaluation combining both account level permissions and IAM permissions, which
decides whether a request is accepted by Eucalyptus:
1. If the request user is sys admin, access is allowed.
2. Otherwise, check account level permissions, e.g. image launch permission, to see if the request users account has
access to the specific resources.
a. If not, the access is denied.
b. Otherwise, invoke the policy evaluation algorithm to check if the request user has access to the resources based
on IAM policies.
Quota Evaluation Algorithm

Like the normal IAM policies, a user may be associated with multiple quota policies (and multiple quota statements).
How all the quota policies are combined to take effect is defined by the quota evaluation algorithm:
1. If the request user is sys admin, there is no limit on resource usage.
2. Otherwise, collect all the quotas associated with the request user, including those attached to the request users
account and those attached to the request user himself/herself (for account admin, we only need collect account
quotas).
3. Evaluate each quota one by one. Reject the request as long as there is one quota being exceeded by the request.
Otherwise, accept the request.
Note: The hard limits on some resources override quota limits. For example,
walrus.storagemaxbucketsizeinmb (system property) overrides the s3:quota-bucketsize
(quota key).
Sample Policies
A few example use cases and associated policies.

Here are some example use cases and associated polices. You can edit these polices for your use, or use them as examples
of JSON syntax and form.
Tip: For more information about JSON syntax used with AWS resources, go to Using AWS Identity and Access
Management.
Examples: Allowing Specific Actions

The following policy allows a user to only run instances and describe things.
{
"Statement":[{
"Effect":"Allow",
"Action":["ec2:*Describe*","ec2:*Run*"],
"Resource":"*",
}
]
}
The following policy allows a user to only list things:
{
"Statement": [
{
"Sid": "Stmt1313686153864",
"Action": [
"iam:List*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
The following policy grants a generic basic user permission for running instances and describing things.
{
"Statement": [
{
"Sid": "Stmt1313605116084",
"Action": [
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AttachVolume",
"ec2:Authorize*",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"ec2:CreateSnapshot",
"ec2:CreateVolume",
"ec2:DeleteKeyPair",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSnapshot",
"ec2:DeleteVolume",
"ec2:Describe*",
"ec2:DetachVolume",
"ec2:DisassociateAddress",
"ec2:GetConsoleOutput",
"ec2:RunInstances",
"ec2:TerminateInstances"
"ec2:ReleaseAddress"
],

"Effect": "Allow",
"Resource": "*"
}
]
}
Examples: Denying Specific Actions

The following policy allows a user to do anything but delete.
{
"Statement": [
{
"Action": [
"ec2:Delete*"
],
"Effect": "Deny",
"Resource": "*"
}
]
}
The following policy denies a user from creating other users.
{
"Statement": [
{
"Sid": "Stmt1313686153864",
"Action": [
"iam:CreateUser"
],
"Effect": "Deny",
"Resource": "*"
}
]
}
Examples: Specifying Time Limits

The following policy allows a user to run instances within a specific time.
{
"Statement": [
{
"Sid": "Stmt1313453084396",
"Action": [
"ec2:RunInstances"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"DateLessThanEquals": {
"aws:CurrentTime": "2011-08-16T00:00:00Z"
}
}
}
]
}

The following policy blocks users from running instances at a specific time.
{
"Statement": [
{
"Sid": "Stmt1313453084396",
"Action": [
"ec2:RunInstances"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"DateLessThanEquals": {
"aws:CurrentTime": "2011-08-16T00:00:00Z"
}
}
}
]
}
The following policy keeps alive an instance for .
{
"Statement": [
{
"Action": ["ec2:RunInstances" ],
"Effect": "Allow",
"Resource": "*",
"Condition": { "NumericEquals":{"ec2:KeepAlive":"60000"}}
}
]
}
The following policy sets an expiration date on running instances.
{
"Statement": [
{
"Action": ["ec2:RunInstances" ],
"Effect": "Allow",
"Resource": "*",
"Condition": { "DateEquals":{"ec2:ExpirationTime":"2011-08-16T00:00:00Z"}}
}
]
}
Examples: Restricting Resources

The following policy allows users to only launch instances with a large image type.
{
"Statement": [
{
"Action": [
"ec2:RunInstances"
],
"Effect": "Allow",
"Resource": "arn:aws:ec2:::vmtype/m1.xlarge"
}

]
}
The following policy restricts users from launching instances with a specific image ID.
{
"Statement": [
{
"Action": [
"ec2:RunInstances"
],
"Effect": "Deny",
"Resource": "arn:aws:ec2:::image/emi-0FFF1874"
}
]
}
The following policy restricts users from allocating addresses to a specific elastic IP address.
{
"Statement": [
{
"Sid": "Stmt1313626078249",
"Action": "*",
"Effect": "Deny",
"Resource": "arn:aws:ec2:::address/192.168.10.140"
}
]
}
The following policy denies volume access.
{
"Statement": [
{
"Action": [
"ec2:*"
],
"Effect": "Deny",
"Resource": "arn:aws:ec2:::volume/*"
}
]
}
LDAP/AD Integration
You can use the Eucalyptus LDAP/Active Directory (AD) integration to synchronize existing LDAP/AD user and group
information with Eucalyptus.
When you enable LDAP/AD synchronization, Eucalyptus does the following:
Imports specified user and group information from LDAP or AD and maps them into a predefined two-tier
account/group/user structure
Authenticates Eucalyptus Administrator Console users through the connected LDAP or AD service
Note that Eucalyptus only imports the identities and some related information. Any Eucalyptus-specific attributes are
still managed from Eucalyptus. These include:
User credentials: secret access keys and X.509 certificates. The Eucalyptus Administrator Console login password
is an exception. Eucalyptus does not download passwords from LDAP/AD and does not save them either. Eucalyptus

authenticates Eucalyptus Administrator Console logins directly through LDAP/AD, using LDAP/AD authentication
(simple or SASL).
Policies: IAM policies and quotas. Policies are associated with identities within Eucalyptus, and stored in internal
database.
Also note that special identities, including system administrators and account administrators, are created in Eucalyptus
and not imported from LDAP/AD. Only normal user identities are imported.
Important: If you integrate LDAP/AD, you do not need to create IAM user login profiles for your users.
Identity Mapping
Identities in LDAP/AD are organized differently from the identity structure in Eucalyptus. So a transformation is required
to map LDAP/AD identities into Eucalyptus.
The following image shows a simple scheme of how the mapping works. In this scheme, the user groups in LDAP tree
are partitioned into two sets. Each set is mapped into one separate account. Group 1, 2 and 3 are mapped to Account 1
and Group 4 and 5 are mapped to Account 2. As the result, all users in Group 1, 2 and 3 will be in Account 1, and all
users in Group 4 and 5 will be in Account 2.
To summarize the mapping method:

1. Pick user groups from LDAP/AD and combine them into different accounts. There are two ways of doing this:
Use something called accounting groups. Account groups are essentially groups of groups. Accounting groups
rely on a key understanding of object class types in LDAP. In short, accounting groups are mapped to
STRUCTURAL object classes in LDAP. For more information about object class types, refer to the LDAP Models
RFC under the "2.4. Object Classes". Each accounting group contains multiple user groups in LDAP/AD. Then
each accounting group maps to an account in Eucalyptus.
Manually partition groups into accounts. Each group partition maps to an account.
2. Once the accounts are defined (by accounting groups or group partitions), all the LDAP/AD user groups will be
mapped into Eucalyptus groups within specific accounts; and LDAP/AD users will be mapped into Eucalyptus users.
Using the options to filter the groups and users to be imported into Eucalyptus allows granular control.
3. Groups are group object types in LDAP. The group object type in LDAP/AD needs to have the attribute type
determining membership where the value is the Fully Distinguished Name (FDN) of the user(s). Some examples of
group object types for LDAP/AD are as follows:
groupOfNames
groupOfUniqueNames
Group-Of-Names
groupOfUniqueNames
Group
Note that each group can be mapped into multiple accounts. But understand that Eucalyptus accounts are separate name
spaces. So for groups and users that are mapped into different accounts, their information (name, attributes, etc) will be
duplicated in different accounts. And duplicated users will have separate credentials in different accounts. For example,

Group 1 may map to both Account 1 and Account 2. Say user A belongs to Group 1. Then Account 1 will have user A
and Account 2 will also have user A. User A in Account 1 and user A in Account 2 will have different credentials,
policies, etc., but the same user information.
Note: Currently, there is not a way to map individual users into an account. The mapping unit is LDAP user
group. What maps where groups and users end up regarding accounts DEPENDS upon the accounting-groups
or groups-partition definitions.
LDAP/AD Integration Configuration

The LDAP/AD Integration Configuration (LIC) is a JSON format file. This file specifies everything Eucalyptus needs
to know about how to synchronize with an LDAP or AD service.
You can find a LIC template at /usr/share/eucalyptus/lic_template. This template shows all the fields
of the LIC, and provides detailed documentation and example values for each field.
To start a LIC file, use the LIC command line tool.
/usr/sbin/euca-lictool --password <password> --out example.lic
The above command invokes the LIC tool to create a template LIC and fill in the encrypted password for authenticating
to LDAP/AD service (i.e. the password of the administrative user for accessing the LDAP/AD during synchronization).
The LIC tools primary functions are to encrypt the LDAP/AD password and to generate the starting LIC template. The
usage of the LIC tool shows different ways to invoke the command.
Once you have the LIC template, you can fill in the details by editing the *.lic file using your favorite editor as it is
a simple text file. As we said above, the LIC file is in JSON format. Each top level entity specifies one aspect of the
LDAP/AD synchronization. The following shows one possible example of a LIC file.
{
"ldap-service":{
"server-url":"ldap://localhost:7733",
"auth-method":"simple",
"user-auth-method":"simple",
"auth-principal":"cn=ldapadmin,dc=foo,dc=com",
"auth-credentials": "{RSA/ECB/PKCS1Padding}EAXRnvwnKtCZOxSrD/F3ng/yHH3J4jMxNUS
kJJf6oqNMsUihjUerZ20e5iyXImPgjK1ELAPnppEfJvhCs7woS7jtFsedunsp5DJCNhgmOb2CR/MnH
11V3FNY7bBWoew5A8Wwy6x7YrPMS0j7dJkwM7yfp1Z6AbKOo2688I9uIvJUQwEKS4dOp7RVdA0izlJ
BDPAxiFZ2qa40VjFI/1mggbiWDNlgxiVtZXAEK7x9SRHJytLS8nrNPpIvPuTg3djKiWPVOLZ6vpSgP
cVEliP261qdUfnf3GDKi3jqbPpRRQ6n8yI6aHw0gAtq8/qPyqjkkDP8JsGBgmXMxiCNPogbWg==",
"use-ssl":"false",
"ignore-ssl-cert-validation":"false",
"krb5-conf":"/path/to/krb5.conf",
},
"sync":{
"enable":"true",
"auto":"true",
"interval":"900000",
"clean-deletion":"false",
},
"accounting-groups":{
"base-dn":"ou=groups,dc=foo,dc=com",
"id-attribute":"cn",
"member-attribute":"member",
"selection":{

"filter":"objectClass=accountingGroup",
"select":["cn=accountingToSelect,ou=Groups,dc=foo,dc=com"],
"not-select":["cn=accountingToIgnore,ou=Groups,dc=foo,dc=com"],
}
},
"groups":{
"base-dn":"ou=groups,dc=foo,dc=com",
"id-attribute":"cn",
"member-attribute":"member",
"selection":{
"filter":"objectClass=groupOfNames",
"select":["cn=groupToSelect,ou=Groups,dc=foo,dc=com"],
"not-select":["cn=groupToIgnore,ou=Groups,dc=foo,dc=com"],
}
},
"users":{
"base-dn":"ou=people,dc=foo,dc=com",
"id-attribute":"uid",
"user-info-attributes":{
"fullName":"Full Name",
"email":"Email"
},
"selection":{
"filter":"objectClass=inetOrgPerson",
"select":["uid=john,ou=People,dc=foo,dc=com",
"uid=jack,ou=People,dc=foo,dc=com"],
"not-select":["uid=tom,ou=People,dc=foo,dc=com"],
}
},
In the following sections explain each field of LIC in detail.

ldap-service
The ldap-service element contains everything related to the LDAP/AD service.
Element Description
server-url The LDAP/AD server URL, starting with ldap://.

auth-method The LDAP/AD authentication method to perform
synchronization.
auth-principal The ID of the administrative user for synchronization.
auth-credentials The credentials for LDAP/AD authentication, like a
password. We recommend that you encrypt this using
/usr/sbin/euca-lictool.
user-auth-method The LDAP/AD authentication method for normal users to
perform Eucalyptus Administrator Console login.
simple: for clear text user/password authentication.
DIGEST-MD5: for SASL authentication using MD5
GSSAPI: SASL authentication using Kerberos V5.
use-ssl Specifies whether to use SSL for connecting to LDAP/AD

service. If this option is enabled, make sure the SSL port
for LDAP is defined as part of the server-url. The default
port for LDAP+SSL is port 636.

Element Description
ignore-ssl-cert-validation Specifies whether to ignore self-signed SSL certs. This is

useful when you only have self-signed SSL certs for your
LDAP/AD services.
krb5-conf The file path for krb5.conf, if you use GSSAPI
authentication method.
sync
The sync element contains elements for controlling synchronization.
Element Description
enable States whether the Eucalyptus Administrator Console uses

LDAP rather than the Eucalyptus database for log-ins. Set
to true to turn on LDAP web logging. Set to false to use
the Eucalyptus database for web logging. If set to false,
you can ignore all other fields in this section. Default value:
false
auto Set to true to turn on automatic synchronization. Set to
false to turn off synchronization.
interval The length in milliseconds of the automatic synchronization
interval.
clean-deletion Parmeter denoting whether to remove identity entities from
Eucalyptus when they are deleted from LDAP. Set to true
if you want Eucalyptus to remove any identities once their
counterparts in LDAP are deleted. Set to false if you want
these identities kept without being purged.
accounting-groups
This section uses a special group in LDAP/AD to designate accounts in the Eucalyptus accounting group. The accounting
group takes normal LDAP/AD groups as members, i.e., they are groups of groups.
The accounting groups name becomes the account name in Eucalyptus. The member groups become Eucalyptus groups
in that account. And the users of all those groups become Eucalyptus users within that account and corresponding
Eucalyptus groups.
Important: If you use accounting-groups, remove the groups-partition section. These two sections
are mutually exclusive.
Element Description
base-dn The base DN of accounting groups in the LDAP/AD tree.

id-attribute The ID attribute name of the accounting group entry in
LDAP/AD tree.
member-attribute The LDAP/AD attribute name for members of the
accounting group.

Element Description
selection The accounting groups you want to map to. This contains
the following elements:
filter: The LDAP/AD searching filter used for the
LDAP/AD search to get the relevant LDAP/AD entities,
e.g. the users to be synchronized. (Example:
objectClass=groupOfNames). This element works the
same as the filter option that is found in ldapsearch,
therefore when doing more advanced searching using
compound filters, use boolean operators - AND (&),
OR (|), and/or NOT (!). (Example:
(&(ou=Sales)(objectClass=groupOfNames))
select: Explicitly gives the full DN of entities to be
synchronized, in case they can not be specified by the
search filter. (Example:
cn=groupToSelect,ou=Groups,dc=foo,dc=com)
not-select: Explicitly gives the full DN of entities NOT
to be synchronized, in case this can not be specified by
the search filter. (Example:
cn=groupToIgnore,ou=Groups,dc=foo,dc=com)
groups-partition
Like accounting-groups, groups-partition specifies how to map LDAP/AD groups to Eucalyptus accounts. However, in
this section you to manually specify which LDAP/AD groups you want to map to Eucalyputs accounts.
Important: If you use groups-partition, remove the accounting-groups section. These two sections
are mutually exclusive.
The Eucalyptus accounts are created by partitioning LDAP/AD groups. Each partition composes an Eucalyptus account.
So all the groups within the partition become Eucalyptus groups within that account. All the users of those groups will
become Eucalyptus users within that account and the corresponding Eucalyptus groups.
This section requires that you specify one partition at a time, using a list of JSON key-value pairs. For each entry, the
key is the account name to be mapped and the value is a list of names of LDAP/AD groups to be mapped into the account.
For example:
"groups-partition": {
"salesmarketing": ["sales", "marketing"],
"devsupport": ["engineering", "support"],
}
Here salesmarketing and devsupport are names for the groups partition and are used as the corresponding Eucalyptus
account names.
Tip: If you use groups-partition, remove the accounting-groups section. These two sections are mutually
exclusive.
groups
Thi groups element specifies how to map LDAP/AD groups to Eucalyptus groups. It contains the elements listed in
the following table. The meanings are similar to those in accounting-groups element.
Element Description
base-dn The base DN for searching groups.

id-attribute The ID attribute name of the LDAP group.

Element Description
member-attribute The name of the attribute for group members. Usually, it

is member in modern LDAP implementation, which lists
full user DN.
selection The specific LDAP/AD groups you want to map to. This
contains the following elements:
objectClass=groupOfNames). This element works the
same as the filter option that is found in ldapsearch,
(&(ou=Sales)(objectClass=groupOfNames))
select: The LDAP/AD searching filter used for the
objectClass=groupOfNames)
cn=groupToIgnore,ou=Groups,dc=foo,dc=com)
users
Explicitly gives the full DN of entities NOT to be synchronized, in case this can not be specified by the search filter.
Element Description
base-dn The base DN for searching users.

id-attribute The attribute ID of the LDAP user.
selection The specific LDAP/AD users you want to map to. This
contains the following elements:
objectClass=organizationalPerson). This element works
the same as the filter option that is found in ldapsearch,
(&(ou=Sales)(objectClass=organizationalPerson)))
select: Explicitly gives the full DN of entities to be
synchronized, in case they can not be specified by the
search filter. (Example:
cn=userToSelect,ou=People,dc=foo,dc=com)
cn=userToIgnore,ou=People,dc=foo,dc=com)

Synchronization Process
This topic explains what happens to start the synchronization process and what the synchronization process does.
The synchronization always starts when the following happens:
You manually upload a LDAP/AD Integration Configuration (LIC) file. Every new or updated LIC upload triggers
a new synchronization.
If the automatic synchronization is enabled, a synchronization is started when the timer goes off.
Note: Eucalyptus does not allow concurrent synchronization. If you trigger synchronization more than once
within a short time period, Eucalyptus only allows the first one.
During a synchronization, everything specified by an LIC in the LDAP/AD tree will be downloaded into Eucalyptus
internal database. Each synchronization is a merging process of the information already in the database and the information
from LDAP/AD. There are three cases for each entity: user, group or account:
If an entity from LDAP/AD is not in Eucalyptus, a new one is created in the database.
If an entity from LDAP/AD is already in Eucalyptus, the Eucalyptus version is updated. For example, if a users
info attributes are changed, those changes are downloaded and updated.
If an entity in Eucalyptus is missing from LDAP/AD, it will be removed from the database if the clean-deletion
option in LIC is set to true. Otherwise, it will be left in the database.
Important: If clean-deletion is set to true, the removed entities in Eucalyptus will be lost forever, along with
all its permissions and credentials. The resources associated with the entity will be left untouched. It is system
administrators job to recycle these resources.
Access Tasks
This section provides details about the tasks you perform using policies and identities. The tasks you can perform are
divided up into tasks for users, tasks for groups, and tasks for policies.
The following use cases detail work flows for common processes:
Use Case: Create an Administrator
Use Case: Create a User
You can perform the following access-related tasks listed in the following sections:
Accounts:
Add an Account
Approve an Account
Reject an Account
Rename an Account
List Accounts
Delete an Account
Groups:
Create a Group
Add a Group Policy
Modify a Group
Add a User to a Group
Remove a User from a Group
List Groups
List Policies for a Group
Delete a Group
Users:

Add a User
Create a Login Profile
Modify a User
List Users
Delete a User
Credentials:
Generating User Credentials
Retrieving Existing User Credentials
Uploading a Certificate
Working with Administrator Credentials
Use Case: Create an Administrator

This use case details tasks for creating an administrator. These tasks require that you have your account credentials for
sending requests to Eucalyptus using the command line interface (CLI) tools.
To create an administrator account, perform the tasks that follows.
Create an Admin Group

Eucalyptus recommends using account credentials as little as possible. You can avoid using account credentials by
creating a group of users with administrative privileges.
1. Create a group called administrators.
euare-groupcreate -g administrators
2. Verify that the group was created.
euare-grouplistbypath
Eucalyptus returns a listing of the groups that have been created, as in the following example.
arn:aws:iam::123456789012:group/administrators
Add a Policy to the Group

Add a policy to the administrators group that allows its members to perform all actions in Eucalyptus.
Enter the following command to create a policy called admin-root that grants all actions on all resources to all
users in the administrators group:
euare-groupaddpolicy -p admin-root -g administrators -e Allow -a "*" -r "*"

-o
Create an Administrative User

Create a user for day-to-day administrative work and add that user to the administrators group.
1. Enter the following command to create an administrative user named alice:
euare-usercreate -u alice

2. Add the new administrative user to the administrators group.
euare-groupadduser -g administrators -u alice
Generate Administrative Credentials

To start running commands as the new administrative user, you must create an access key for that user.
1. Enter the following command to generate an access key for the administrative user:
euare-useraddkey -u alice
Eucalyptus returns the access key ID and the user's secret key.
2. Open the ~/.eucarc file and replace your account credentials you just created, as in this example:
export EC2_ACCESS_KEY='WOKSEQRNM1LVIR702XVX1'
export EC2_SECRET_KEY='0SmLCQ8DAZPKoaC7oJYcRMfeDUgGbiSVv1ip5WaH'
3. Save and close the file.

4. Open the ~/.iamrc file and replace your account credentials, as in this example:
AWSAccessKeyId=WOKSEQRNM1LVIR702XVX1
AWSSecretKey=0SmLCQ8DAZPKoaC7oJYcRMfeDUgGbiSVv1ip5WaH

6. Switch euca2ools over to using the new credentials.
source ~/.eucarc
Use Case: Create a User

This use case details tasks needed to create a user with limited access.
Create a Group
We recommend that you apply permissions to groups, not users. In this example, we will create a group for users with
limited access.
1. Enter the following command to create a group for users who will be allowed create snapshots of volumes in
Eucalyptus.
euare-groupcreate -g ebs-backup
2. Open an editor and enter the following JSON policy:
{
"Statement": [
{
"Action": [
"ec2:CreateSnapshot"
],
"Effect": "Allow",
"Resource": "*"
}

]
}

4. Enter the following to add the new policy name allow-snapshot and the JSON policy file to the ebs-backup
group:
euare-groupuploadpolicy -g ebs-backup -p allow-snapshot -f allow-snapshot.json
Create the User

Create the user for the group with limited access.
Enter the following command to create the user sam in the group ebs-backup and generate a new key pair for
the user:
euare-usercreate -u sam -g ebs-backup -k
Eucalyptus responds with the access key ID and the secret key, as in the following example:
AKIAJ25S6IJ5K53Y5GCA
QLKyiCpfjWAvlo9pWqWCbuGB9L3T61w7nYYF057l
Accounts
Accounts are the primary unit for resource usage accounting. Each account is a separate name space and is identified
by its UUID (Universal Unique Identifier).
Tasks performed at the account level can only be done by the users in the eucalyptus account.
Add an Account
To add an account perform the steps listed in this topic.
Add an Account (CLI)
To add a new account using the CLI:
euare-accountcreate -a <account_name>
Eucalyptus returns the account name and its ID, as in this example:
account01 592459037010
Add an Account (Eucalyptus Administrator Console)

To add a new account using the Eucalyptus Administrator Console:
1. Click Accounts in the Quick Links section.
The Accounts page displays.
2. Click New account in the Accounts page.
The Create a new account popup displays.
3. Enter an account name in the Account name field and click OK.

The new account displays in the list on the Accounts page.
Approve an Account
To approve an account perform the steps listed in this topic.
2. Click the ID of the account you want to approve.
The account, name, and Registration status are highlighted.
3. Click Approve.
The Approve selected accounts popup displays.
4. Verify that the displayed account is the one you want, and click OK.
The account's registration status displays as CONFIRMED on the Accounts page.
Reject an Account
To reject an account perform the steps listed in this topic.
2. Click the ID of the account you want to delete.
3. Click Reject.
The Reject selected accounts popup displays.
The account no longer displays on the Accounts page.
Rename an Account
To rename an account perform the steps listed in this topic.
This section explains steps to perform so that you can rename an account.
Using the CLI
To change an account's name using the CLI:
uare-accountaliascreate -a <new_name>
Using the Eucalyptus Administrator Console

To change an account's name using the Eucalyptus Administrator Console:
2. Click the ID of the account you want to rename.

The account's Properties area displays.

3. In the Name field, enter the new name of the account.
4. Click Save.
The new account name displays in the Accounts page.
List Accounts
To list accounts perform the steps in this topic.
Using the CLI
Use the euare-accountlist command to list all the accounts in an account or to list all the users with a particular
path prefix. The output lists the ARN for each resulting user.
euare-userlistbypath -p <path>

To list accounts using the Eucalyptus Administrator Console:
Click Accounts in the Quick Links section.
The Accounts page displays all accounts in your cloud.
Delete an Account
To delete an account perform the steps listed in this topic.
Tip: If there are resources tied to the account that you delete, the resources remain. We recommend that you
delete these resources first.
Delete an Account (CLI)

To delete an account using the CLI:
euare-accountdel -a <account_name> -r true
Use the -r option set to true to delete the account recursively. You don't have to use this option if have already
deleted users, keys, and passwords in this account.
Eucalyptus does not return any message.
Delete an Account (Eucalyptus Administrator Console)
To delete an account:
2. Click the ID of the account you want to delete.
3. Click Delete accounts.
The Delete selected accounts popup displays.

The account no longer displays in the list on the Accounts page.
Groups
Groups are used to share resource access authorizations among a set of users within an account. Users can belong to
multiple groups.
Important: A group in the context of access is not the same as a security group.
This section details tasks that can be performed on groups.
Create a Group
To create a group perform the steps listed in this topic.
Using the CLI
To create a group using the CLI:
euare-groupcreate -g <group_name>
Eucalyptus does not return anything.

To create a group using the Eucalyptus Administrator Console:
2. Click the ID of the account you want to add a group to.
3. Click New groups in the Accounts page.
The Create new groups popup displays.
4. Enter the group name in the Group name field.
Tip: You can add more than one group at a time. Every group you add, however, will be in the same path.
5. Enter the group path in the Group path field.

6. Click OK.
The group is associated with the account you chose. You can see the information if you select the account in the Accounts
page and click the Member groups link, located in the Properties section of the screen.

Add a Group Policy

To add a group policy perform the steps listed in this topic.
Using the CLI
To add a policy to a group using the CLI:
euare-groupaddpolicy -g <group_name> -p <policy_name> -e <effect> -a

<actions> -o
The optional -o parameter tells Eucalyptus to return the JSON policy, as in this example:
{"Version":"2008-10-17","Statement":[{"Effect":"Allow",
"Action":["ec2:RunInstances"], "Resource":["*"]}]}

To add a policy to a group using the Eucalyptus Administrator Console:
1. Click Groups in the Quick Links section.
The Groups page displays.
2. Click the ID of the group you want to add a policy to.
The ID, Name, Path, and Owner account line is highlighted.
3. Click Add policy.
The Add new policy popup displays.
4. Enter the policy name in the Policy name field.
5. Enter the policy content in the Policy content field.
6. Click OK.
The policy is now added to the group.
Modify a Group
To modify a group perform the steps listed in this topic.
Modifying a group is similar to a "move" operation. Whoever wants to modify the group must have permission to do it
on both sides of the move. That is, you need permission to remove the group from its current path or name, and put that
group in the new path or name.
For example, if a group changes from one area in a company to another, you can change the group's path from
/area_abc/ to /area_efg/. You need permission to remove the group from /area_abc/. You also need
permission to put the group into /area_efg/. This means you need permission to call UpdateGroup on both
arn:aws:iam::123456789012:group/area_abc/* and
arn:aws:iam::123456789012:group/area_efg/*.
Using the CLI
To modify a group using the CLI:
1. Enter the following command to modify the group's name:
euare-groupmod -g <group_name> --new-group-name <new_name>
Eucalyptus does not return a message.

2. Enter the following command to modify a group's path:
euare-groupmod -g <group_name> -p <new_path>


To modify a group using the Eucalyptus Administrator Console:
2. Click the ID of the group you want to rename.
The group's Properties area displays.
3. In the Name field, enter the new name of the group.
4. In the Path field, enter the new path for the group.
5. Click Save.
The new group name displays in the Groups page.
Remove a User from a Group

To remove a user from a group perform the steps listed in this topic.
Using the CLI
To remove a user from a group using the CLI:
euare-groupremoveuser -g <group_name> -u <user-name>

To remove a user from a group using the Eucalyptus Administrator Console:
2. Click the ID of the group you want to remove the user from.
3. Click Remove users.
The Remove users to selected groups popup displays.
4. Enter the name of the user you want to remove and click OK.
The user is now removed from the group.
List Groups
To list groups perform the steps listed in this topic.
Using the CLI
To list all the groups a specific user is in:
euare-grouplistbypath

Eucalyptus returns a list of paths followed by the ARNs for the groups in each path. For example:
arn:aws:iam::eucalyptus:group/groupa

To list groups using the Eucalyptus Administrator Console:
Click Groups in the Quick Links section.
The Groups page displays all groups in your cloud.
List Policies for a Group

To list policies for a group perform the steps listed in this topic.
Using the CLI
To list policies associated with a group using the CLI:
euare-grouplistpolicies -g <group_name>
Eucalyptus returns a listing of all policies associated with the group.

To list the policies associated with a group using the Eucalyptus Administrator Console:
2. Click the ID of the group you want to list policies for.
The Properties section displays.
3. In the Properties section, click Policies.
The Access Policies page displays.
Delete a Group
To delete a group perform the steps listed in this topic.
Using the CLI
When you delete a group, you have to remove users from the group and delete any policies from the group. You can do
this with one command, using the euare-groupdel command with the -r option. Or you can follow the following
steps to specify who and what you want to delete.
1. Individually remove all users from the group.
euare-groupremoveuser -g <group_name> -u <user_name>
2. Delete the policies attached to the group.
euare-groupdelpolicy -g <group_name> -p <policy_name>
3. Delete the group.
euare-groupdel -g <group_name>
The group is now deleted.


To delete a group using the Eucalyptus Administrator Console:
2. Click the ID of the group you want to delete.
3. Click Delete groups.
The Delete selected groups popup displays.
4. Click OK.
The group is now deleted.
Users
Users are subsets of accounts and are added to accounts by an appropriately credentialed administrator. While the term
user typically refers to a specific person, in Eucalyptus, a user is defined by a specific set of credentials generated to
enable access to a given account. Each set of user credentials is valid for accessing only the account for which they were
created. Thus a user only has access to one account within a Eucalyptus system. If an individual person wishes to have
access to more than one account within a Eucalyptus system, a separate set of credentials must be generated (in effect
a new user) for each account (though the same username and password can be used for different accounts).
When you need to add a new user to your Eucalyptus cloud, you'll go through the following process:
1 Create a user
2 Add user to a group
3 Give user a login profile
Add a User
Using the CLI
To add a user using the CLI:
Enter the following command
euare-usercreate -u <user_name> -g <group_name> -k
Eucalyptus does not return a response.

Tip: If you include the -v parameter, Eucalyptus returns a response that includes the user's ARN and GUID.


To add a user using the Eucalyptus Administrator Console:
2. Click the ID of the account you want to rename.
The account's Properties area displays.
3. Click New Users.
The Create new users popup window displays.
4. Enter a name in the User names field.
Tip: You can add more than one user at a time. Every user you add, however, will be in the same path.
5. Enter a path in the User path field.

6. Click OK.
The user is added to the account.
Add a User to a Group

To add a user to a group perform the steps listed in this topic.
Using the CLI
To add a user to a group using the CLI:
euare-groupadduser -g <group_name> -u <user-name>

2. Click the ID of the group you want to add the user to.
3. Click Add users.
The Add users to selected groups popup displays.
4. Enter the name of the user you want to add and click OK.
The user is now added to the group.
Create a Login Profile

Once you create a user, you must generate a password for the user to use the Eucalyptus Administrator Console.
Using the CLI
To create a login profile using the CLI:

euare-useraddloginprofile -u <user_name> -p <password>

To create a login profile using the Eucalyptus Administrator Console:
1. Click Users in the Quick Links section.
The Users page displays.
2. Click the ID of the user whose path you want to change.
The user's Properties area displays.
3. Click Password.
The Change password popup window displays.
4. Enter the new password in the New user password field, and repeat in the New password again field.
5. Click OK.
The login profile is now complete. If you are generating the password for a different user, let the user know the password
and the URL to the Eucalyptus Administrator Console.
Modify a User
Modifying a user is similar to a "move" operation. Whoever wants to modify a user must have permission to do it on
both sides of the move. That is, you need permission to remove the user from the current path or name, and put that user
in the new path or name.
For example, if a user changes from one team in a company to another, you can change the user's path from /team_abc/
to /team_efg/. You need permission to remove the user from /team_abc/. You also need permission to put the
user into /team_efg/. This means you need permission to call UpdateUser on both
arn:aws:iam::123456789012:user/team_abc/* and
arn:aws:iam::123456789012:user/team_efg/*.
Using the CLI
To rename a user using the CLI:
1. Enter the following command to rename a user:
euare-usermod -u <user_name> --new-user-name <new_name>

euare-groupmod -u <user_name> -p <new_path>

To rename a user using the Eucalyptus Administrator Console:
2. Click the ID of the user you want to rename.
The user's Properties area displays.
3. In the Name field, enter the new name of the user.
4. Click Save.
The new user name displays in the Users page.

List Users
You can list users within a path.
Using the CLI
Use the euare-userlistbypath command to list all the users in an account or to list all the users with a particular
path prefix. The output lists the ARN for each resulting user.
euare-userlistbypath -p <path>

To list users in the same path using the Eucalyptus Administrator Console:
2. Click the Path column to sort all users by path.
Delete a User
Using the CLI
To delete a user using the CLI:
Enter the following command
euare-userdel -u <user_name>

To delete a user using the Eucalyptus Administrator Console:
2. Click the ID of the user you want to delete.
The user's information is highlighted.
3. Click Delete Users.
The Delete selected users popup window displays.
4. Click OK.
The user is deleted.

Credentials
Eucalyptus uses different types of credentials for both user and administrative functions. Besides the login and password
used for accessing the Eucalyptus Administrator Console, Eucalyptus uses an SSH keypair and an X.509 certificate to
control access to instances and to Eucalyptus system functions using the command line tools. This section discusses the
various types of credentials and how to use them.
Working with User Credentials
Working with User Credentials

This section describes how to create new user credentials and retrieve existing user credentials.
You can generate new credentials a number of ways. The first time you get credentials using either the Eucalyptus
Administrator Console or the euca_conf command, a new secret access key is generated. On each subsequent request
to get credentials, an existing active secret key is returned. You can also generate new keys using the
eucare-useraddkey command.
Tip: Each request to get a user's credentials either via the download link in the Eucalyptus Administrator Console
or using euca_conf, a new pair of a private key and X.509 certificate
To generate a new key for a user by an account administrator, enter the following
euare-useraddkey -u <user_name>
To generate a private key and an X.509 certificate pair, enter the following:
euare-usercreatecert -u <user_name>

Eucalyptus provides two main ways of getting user credentials. In both cases, Eucalyptus returns a zip file that contains
keys, certificates, a bash script, and several other required files. To use these credentials with such CLI tools as euca2ools
or ec2-tools, unzip your credentials zip file to a directory of your choice.
An administrator with a root access to the machine on which CLC is installed can get credentials using euca_conf
CLI tool on that machine.
/usr/sbin/euca_conf --cred-account <account> --cred-user <user_name>

--get-credentials <filename>.zip
Where <account> and <user_name> are the names of the account and the user whose credentials are retrieved.
Tip: You can omit the --cred-account and --cred-user options when you get credentials for the
admin user of the eucalyptus account.
A user can get his or her credentials by logging in into the Eucalyptus Administrator Console and clicking Download
new credentials in the drop-down menu at the top of the screen. This will result in a download of a zip file.

In the following example we download the credentials zip file to ~/.euca, then change access
permissions, as shown:
mkdir ~/.euca
cd ~/.euca
unzip <filepath>/<creds_zipfile>.zip
chmod 0700 ~/.euca
chmod 0600 *
Important: The zip file with credentials contains security-sensitive information.

We recommend that you remove or read- and write-protect the file from other users
after unzipping.
Alternatively, you can view and copy your access keys and X.509 certificates from the Eucalyptus
Administrator Console after logging in, using the Navigation menu.
To upload a certificate provided by a user:
euare-useraddcert -u <user_name> -f <cert_file>

Important: When you run the following command, you are requesting a new X.509 and a corresponding private
key. You cannot retrieve an existing private key.
To generate a set of credentials:

1. Log in to the CLC.
2. Get administrator credentials and source eucarc:
/usr/sbin/euca_conf --get-credentials admin.zip

unzip admin.zip
chmod 0600 *
source eucarc
Synchronize LDAP/AD
To start an LDAP/AD synchronization:
1. Create an LDAP/AD Integration Configuration (LIC) file to specify all the details about the LDAP/AD synchronization.
2. Upload the LIC file to Eucalyptus using euca-modify-property.
Start a LIC File

To start a LIC file perform the steps listed in this topic.
The LIC is a file in JSON format, specifying everything Eucalyptus needs to know about how to synchronize with an
LDAP or AD service. Eucalyptus provides a LIC template at
${EUCALYPTUS}/usr/share/eucalyptus/lic_template. This template shows all the fields of the LIC,
and provides detailed documentation and example values for each field.
To start a LIC file:

/usr/sbin/euca-lictool --password secret --out example.lic
The above command invokes the LIC tool to create a template LIC and fill in the encrypted password for authenticating
to LDAP/AD service (i.e. the password of the administrative user for accessing the LDAP/AD during synchronization).
The LIC tools primary functions are to encrypt the LDAP/AD password and to generate the starting LIC template.
The usage of the LIC tool shows different ways to invoke the command.
Once you have the LIC template, you can fill in the details by editing the *.lic file using a text editor. Each top level
entity specifies one aspect of the LDAP/AD synchronization.
Upload a New LIC File

To upload a new LIC file perform the steps listed in this topic.
To upload a new LIC file:
Enter the following:
/usr/sbin/euca-modify-property -f
authentication.ldap_integration_configuration=<lic_filename.lic>
This triggers a new synchronization using the uploaded LIC file.

Eucalyptus | Manage Resources | 61
Manage Resources
This section includes tasks to help you manage your users' cloud resources.
Manage Compute Resources

To manage compute resources on a Eucalyptus cloud, use the verbose option in any euca-describe-* command.
The following are some examples you can use to view various compute resources. For more information about compute
commands, see EC2-Compatible Commands.
To see all instances running on your cloud, enter the following command:
euca-describe-instances verbose
To see all volumes in your cloud, enter the following command:
euca-describe-volumes verbose
To see all keypairs in your cloud, enter the following command:
euca-describe-keypairs verbose
Manage Walrus Resources

This topic explains Walrus resources.
Bucket ACLs: Access Control Lists (ACLs) allow an account to explicity grant access to a bucket or object to
another account. ACLs only work between accounts, not IAM users. You specify accounts with the CanonicalID or
the email address associated with the account (for Eucalyptus this is the email of the account admin).
IAM Policies: These are set by the admin of an account to control the access of users within that specific account.
This is how an admin controls what users in that specific account are allowed to do. Policies can specify allow/deny
on specific S3 operations (e.g. s3:GetObject, or s3:PutObject). IAM policies are set by sending the policy to the IAM
(Euare) endpoint, not S3 (Walrus).
Bucket Policies: These are IAM-like policies set by the bucket owner are not supported in Eucalyptus.
For more information about bucket ACLs, go to Access Control List (ACL) Overview and Managing ACLs Using the
REST API.
For more information about IAM policies, go to Using IAM Policies.
Manage IAM Resources

To manage Euare (IAM) resources on your Eucalyptus cloud, use the --as-account option with any euare-
command that describes, adds, deletes, or modifies resources. This option allows you to assume the role of the admin
user for a given account. You can also use a policy to control and limit instances to specific availability zones.
The following are some examples. For more information about IAM commands, see IAM-Compatible Commands.
To list all groups in an account, enter the following command:
euare-grouplistbypath --as-account <account-name>

To list all users in an account, enter the following command:
euare-userslistbypath --as-account <account-name>
To delete the login profile of a user in an account, enter the following command:
euare-userdelloginprofile --as-account <account-name> -u <user_name>
To modify the login profile of a user in an account, enter the following command:
euare-usermod --as-account <account-name> -u <user_name> -n

<new_user_name>
To restrict an image to a specific availability zone, edit and attach this sample policy to a user:
{
"Statement":[
{
"Effect":"Allow",
"Action":"ec2:*",
"Resource":"*"
},
{
"Effect": "Deny",
"Action": [ "ec2:*" ],
"Resource": "arn:aws:ec2:::availabilityzone/PARTI00",
"Condition": {
"ArnLike": {
"ec2:TargetImage": "arn:aws:ec2:*:*:image/emi-239D37F2"
}
}
}
]
}
To restrict a user to actions only within a specific availability zone, edit and attach this sample policy to a user:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [ "ec2:TerminateInstances" ],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:AvailabilityZone": "PARTI00"
}
}
}]
}
To deny actions at the account level, edit and attach this example policy to an account:
{
"Statement": [ {
"Effect": "Deny",
"Action": [ "ec2:RunInstances" ],
"Resource": "arn:aws:ec2:::availabilityzone/PARTI00",
"Condition": {

"ArnLike": {
"ec2:TargetImage": "arn:aws:ec2:*:*:image/emi-239D37F2"
}
}
} ]
}
Manage CloudWatch Resources

To manage CloudWatch resources on a Eucalyptus cloud, use the verbose option in any euwatch- command that
lists, deletes, modifies, or sets a CloudWatch resource.
The following are examples of what you can do with your CloudWatch resources. For more information about CloudWatch
commands, see CloudWatch-Compatible Commands.
To list all alarms for the cloud, run the following command:
euwatch-describe-alarms verbose
Manage ELB Resources

To list and delete ELB resources on a Eucalyptus cloud, use the verbose option with any eulb-describe-*
command.
The following are some examples.
To list all detailed configuration information for the load balancers in your cloud, run the following command:
eulb-describe-lbs verbose
To list the details of policies for all load balancers in your cloud, run the following command:
eulb-describe-lb-policies verbose
To list meta information for all load balancer policies in your cloud, run the following command:
eulb-describe-lb-policy-types verbose
To delete any load balancer or any load balancer resource on the cloud, instead of using the ELB name, use the DNS
name. For example:
$ eulb-describe-lbs verbose
LOAD_BALANCER MyLoadBalancer
MyLoadBalancer-961915002812.lb.foobar.eucalyptus-systems.com
2013-10-30T03:02:53.39Z
$ eulb-delete-lb MyLoadBalancer-961915002812.lb.foobar.eucalyptus-systems.com
$ eulb-describe-lbs verbose

Manage Auto Scaling Resources

You can list, delete, update, and suspend your Eucalyptus cloud's Autoscaling resources by passing the -show-long
option with the keyword verbose with the appropriate euscale- command.
The followings are some examples you can use to act on your Auto Scaling resources. For more information about Auto
Scaling commands, see .
To show all launch configurations in your cloud, run the following command:
euscale-describe-launch-configs --show-long verbose
To show all Auto Scaling instances in your cloud, run the following command:
euscale-describe-auto-scaling-groups --show-long verbose
To show all Auto Scaling instances in your cloud, run the following command:
euscale-describe-auto-scaling-groups --show-long verbose
To delete an Auto Scaling resource in your cloud, first get the ARN of the resource, as in this example:
$ euscale-describe-launch-configs --show-long verbose

LAUNCH-CONFIG TestLaunchConfig emi-06663A57 m1.medium
2013-10-30T22:52:39.392Z true
arn:aws:autoscaling::961915002812:launchConfiguration:5ac29caf-9aad-4bdb-b228-5f
ce841dc062:launchConfigurationName/TestLaunchConfig
Then run the following command with the ARN:
euscale-delete-launch-config
arn:aws:autoscaling::961915002812:launchConfiguration:5ac29caf-9aad-4bdb-b228-5f
ce841dc062:launchConfigurationName/TestLaunchConfig

Eucalyptus | Manage Security | 65
Manage Security
This section details concepts and tasks required to secure your cloud.
Security Overview
This topic is intended for people who are currently using Eucalyptus and who want to harden the cloud and underlying
configuration.
This topic covers available controls and best practices for securing your Eucalyptus cloud. Cloud security depends on
security across many layers of infrastructure and technology:
Security of the physical infrastructure and hosts
Security of the virtual infrastructure
Security of instances
Security of storage and data
Security of users and accounts
Tip: For information about securing applications in AWS cloud, we recommend the Amazon Web Services
Security Best Practices whitepaper. The practices in this in this paper also apply to your Eucalyptus cloud.
Best Practices
This topic contains recommendations for hardening your Eucalyptus cloud.
Network and Message Security

This topic describes which networking mode is the most secure, and describes how to enforce message security.
Networking Mode
Managed mode is the only recommended networking mode for secure deployments. It provides security groups, which
are used to control inbound traffic to instances, as well as Layer-2 isolation between security groups.
Layer-2 isolation is enforced using a VLAN tag per security group. This protects traffic within a security group from
potential eavesdropping and hijacking by instances that belong to other security groups.
Eucalyptus does not currently enforce Layer-2 isolation between instances within the same security group.
For more information about choosing a networking modes, see the Installation Guide.
Replay Detection
Eucalyptus components receive and exchange messages using either Query or SOAP interfaces (or both). Messages
received over these interfaces are required to have a time stamp (as defined by AWS specification) to prevent message
replay attacks. Because Eucalyptus enforces strict policies when checking timestamps in the received messages, for the
correct functioning of the cloud infrastructure, it is crucial to have clocks constantly synchronized (for example, with
ntpd) on all machines hosting Eucalyptus components. To prevent user commands failures, it is also important to have
clocks synchronized on the client machines.
Following the AWS specification, all Query interface requests containing the Timestamp element are rejected as expired
after 15 minutes of the timestamp. Requests containing the Expires element expire at the time specified by the element.
SOAP interface requests using WS-Security expire as specified by the WS-Security Timestamp element.

Endpoints
Eucalyptus requires that all user requests (SOAP with WS-Security and Query) are signed, and that their content is
properly hashed, to ensure integrity and non-repudiation of messages. For stronger security, and to ensure message
confidentiality and server authenticity, client tools and applications should always use SSL/TLS protocols with server
certification verification enabled for communications with Eucalyptus components.
By default, Eucalyptus components are installed with self-signed certificates. For public Eucalyptus endpoints, certificates
signed by a trusted CA provider should be installed.
Authentication and Access Control

This topic describes best practices for Identity and Access Management and the eucalyptus account.
Identity and Access Management

Eucalyptus manages access control through an authentication, authorization, and accounting system. This system manages
user identities, enforces access controls over resources, and provides reporting on resource usage as a basis for auditing
and managing cloud activities. The user identity organizational model and the scheme of authorizations used to access
resources are based on and compatible with the AWS Identity and Access Management (IAM) system, with some
Eucalyptus extensions provided that support ease-of-use in a private cloud environment.
For a general introduction to IAM in Eucalyptus, see Access Concepts in the Administration Guide. For information
about using IAM quotas to enforce limits on resource usage by users and accounts in Eucalyptus, see the Quotas section
in the Administration Guide.
The Amazon Web Services IAM Best Practices are also generally applicable to Eucalyptus.
The eucalyptus Account

The eucalyptus account is the superuser/privileged account in Eucalyptus. The security of your Eucalyptus cloud
can be compromised if this account is compromised.
A default password is created for the eucalyptus account's admin user when you install Eucalyptus. Reset this
password immediately either by going to the admin console or using euare-usermodloginprofile.
Use this account only for tasks that cannot be done using a less privileged account, for examples tasks related to cloud
setup, management and monitoring. Protect and periodically rotate the credentials for this account.
Credential Management
Only create users and credentials for the interfaces that you will actually use. For example, if you're only going to use
an account through the Administration Console or the User Console, do not create credentials for the SOAP and Query
interfaces.
Using euca_conf --get-credentials or downloading credentials through the Administration Console currently
creates a new set of X.509 certificates on each request. Use euare-useraddkey and euare-usercreatecert
to get a specific set of credentials whenever possible.
When rotating credentials, there is an option to deactivate, instead of removing, existing access/secret keys and X.509
certificates. Requests made using deactivated credentials will no longer be accepted, but the credentials will remain in
the Eucalyptus database and can be restored if needed. You can deactive credentials using the Administration Console,
or using euare-usermodkey and euare-usermodcert.
Hosts
This topic describes best practices for machines that host a Eucalyptus component.
Eucalyptus recommends restricting physical and network access to all hosts comprising the Eucalyptus cloud, and
disabling unused applications and ports on all machines used in your cloud.
After installation, no local access to Eucalyptus component hosts is required for normal cloud operations and all normal
cloud operations can be done over remote web service APIs.

The CLC and Walrus are the only two components that generally expect remote connections from end users. Each
Eucalyptus component can be put behind a firewall following the list of open ports and connectivity requirements
described in the Configure the Firewall section.
For more information on securing Red Hat hosts, see the Red Hat Enterprise Linux Security Guide. Note that Eucalyptus
does not currently support SELinux configurations, and SELinux should be disabled.
Images and Instances

Because all instances are based on images, creating a secure image helps to create secure instances. This topic lists best
practices that will add additional security during image creation. As a general rule, harden your images similar to how
you would harden your physical servers.
Turn off password-based authentication by specifying the following option in /etc/ssh/sshd_config:
PasswordAuthentication no
Encourage non-root access by providing an unprivileged user account. If necessary, use sudo to allow access to
privileged commands
Always delete the shell history and any other potentially sensitive information before bundling. If you attempt more
than one bundle upload in the same image, the shell history contains your secret access key.
Bundling a running instance requires your private key and X.509 certificate. Put these and other credentials in a
location that is not bundled (e.g. when using euca-bundle-vol, pass the folder location where the certificates
are stored as part of the values for the -e option). AWS provides more in-depth information on security considerations
in creating a shared machine image.
Consider installing cloud-init in the image to help control root and non-root access. If cloud-init isn't available, a
custom /etc/rc.local script can be used.
Consider using a tool such as http://manpages.ubuntu.com/manpages/precise/man8/zerofree.8.htmlzerofree to zero-out
any unused space on the image.
Consider editing /etc/rc.local to clear out the swap every time the instance is booted. This can be done using
the following command:
sync && /sbin/sysctl vm.drop_caches=3 && swapoff -a && swapon -a
Consider enabling SELinux or AppArmor for your images

Disable all unused services and ports on the image.
By default, all images registered have private launch permissions. Consider using
euca-modify-image-attribute to limit the accounts that can access the image.
After locking down the image using the steps above, additional steps can be done to further secure instances started
from that image. For example, restrict access to the instance by allowing only trusted hosts or networks to access ports
on your instances. You can control access to instances using euca-authorize and euca-revoke.
Consider creating one security group that allows external logins and keep the remainder of your instances in a group
that does not allow external logins. Review the rules in your security groups regularly, and ensure that you apply the
principle of least privilege: only open up permissions as they are required. Use different security groups to deal with
instances that have different security requirements.
User Console
This topic describes things you can do to secure the Eucalyptus User Console.
Always use SSL for communications and install CA-signed certificate.
We do not recommend choosing "Remember my keys" option for "Login to AWS" because it will store AWS
credentials in browser's local storage and increases the security risk of AWS credentials being compromised
Change the default session timeouts if needed. For more information, see Configure Session Timeouts.

LDAP Security
This topic explains variables in the LIC file you should use to secure configuration.
When you enable LDAP/Active Directory (AD) integration with Eucalyptus, we recommend that you use the following
variables in the LDAP/AD Integration Configuration (LIC) file. These variables are located under the ldap-service
element in the LIC file.
Element Description
auth-method The LDAP/AD authentication method to perform

synchronization. Supports three types of methods:
user-auth-method The LDAP/AD authentication method for normal users to

perform Eucalyptus Administrator Console login. Supports
three types of methods:
use-ssl Specifies whether to use SSL for connecting to LDAP/AD

service. If this option is enabled, make sure the SSL port
for LDAP is defined as part of the server-url. The default
port for LDAP+SSL is port 636.
ignore-ssl-cert-validation Specifies whether to ignore self-signed SSL certs. This is
useful when you only have self-signed SSL certs for your
LDAP/AD services.
krb5-conf The file path for krb5.conf, if you use GSSAPI
authentication method.
When use-ssl is enabled, ldaps will be used. However, the server-url still needs to begin with ldap://.
We recommend using a proxy user for the auth-principal. Typically, proxy users are used to associate with the
application that needs to do reads (and in some cases writes) against the LDAP/AD directory. Proxy users also make it
easier for security audits done on the LDAP/AD directory. To use with Eucalyptus and the LDAP/AD sync, the proxy
user only needs read access. For more information about using proxy authentication with OpenLDAP and Active
Directory, go to the following resources:
For LDAP: Using SASL (see the SASL Proxy Authorization section)
For Active Directory: Supported Types of Security Principles

For more information about LDAP and security, go to the following resources:
Authentication Methods (see the "simple" method section)
Using SASL
Security Considerations
For more information about Active Directory and security, go to the following resources:
Simple Authentication
SASL Authentication
LDAP Security

Tasks
This section details the tasks needed to make your cloud secure.
Congifure Managed Mode

To configure managed mode for your cloud, follow the steps in Configure for Managed Mode in the Installation Guide.
Configure SSL
In order to connect to Eucalyptus using SSL, you must have a valid certificate for the Cloud Controller (CLC) and for
Walrus. You must also be running the Cloud Controller and Cluster Controller (CC) on separate machines.
Tip: The CLC and Walrus use the same tasks. You can just perform one or the other if your CLC and Walrus
are located on the same server.
Configure SSL for the CLC

This topic details tasks to configure SSL for the CLC.
Important: In a HA environment, repeat these tasks on the other CLC.
Create a Keystore
Eucalyptus uses a PKCS12-format keystore. If you are using a certificate signed by a trusted root CA, perform the
following steps.
1. Enter the following command to convert your trusted certificate and key into an appropriate format:

This command will request an export password, which is used in the following steps.
2. Save a backup of the Eucalyptus keystore, at /var/lib/eucalyptus/keys/euca.p12.
3. Import your keystore into the Eucalyptus keystore
Enable the CLC to Use the Keystore

To enable the CLC to use the keystore, perform the following steps.
1. Enter the following commands on the CLC:
2. Restart the CLC by running service eucalyptus-cloud restart or

/etc/init.d/eucalyptus-cloud restart.

Optional: Redirect Requests

The CLC and Walrus listen for both SSL and non-SSL connections on port 8773. If you have other tools that expect to
speak SSL on port 443, you should forward requests on that port to port 8773. For example, the following iptables
command can be used:
Configure SSL for Walrus

This topic details tasks to configure SSL for Walrus.
Important: In a HA environment, repeat these tasks on the other Walrus.
Create a Keystore
Eucalyptus uses a PKCS12-format keystore. If you are using a certificate signed by a trusted root CA, perform the
following steps.
1. Enter the following command to convert your trusted certificate and key into an appropriate format:

This command will request an export password, which is used in the following steps.
2. Save a backup of the Eucalyptus keystore, at /var/lib/eucalyptus/keys/euca.p12.
3. Import your keystore into the Eucalyptus keystore
Enable the Walrus to Use the Keystore

To enable Walrus to use the keystore, perform the following steps.
1. Enter the following commands on Walrus:
2. Restart Walrus by running service eucalyptus-cloud restart or /etc/init.d/eucalyptus-cloud

restart.
Optional: Redirect Requests
Walrus listens for both SSL and non-SSL connections on port 8773. If you have other tools that expect to speak SSL
on port 443, you should forward requests on that port to port 8773. For example, the following iptables command can
be used:
Configure SSL for the User Console

This topic details tasks required to configure SSL for the User Console.

Disable Automatic SSL Certificate Generation

When the user console service is run for the first time, it will generate a self-signed certificate and key which will be
put into /etc/eucalyptus-console/. If you do not want to have a certificate and key generated and would like
to use your own, you can disable automatic generation of the certificate and key.
To disable automatic generation of the console certificate and key, perform the following task.
Add the following line to /etc/sysconfig/eucalyptus-console:
GENERATE_CERT=NO
Tip: If you choose not to use the default SSL certificate and key, you must provide your own. For more
information on generating self-signed SSL certificates, go to
http://www.akadia.com/services/ssh_test_certificate.html.
Configure SSL Certificate Paths

If you don't use the self-signed certificate and key that are provided by the User Console, you will need to provide your
own.
To optionally specify an SSL certificate to run your console over Secure HTTP, modify the sslcert and sslkey
entries in the [server] section of the configuration file with paths to your SSL certificate and key files. For example:
sslcert=/example/path/server.crt
sslkey=/example/path/server.key
Tip:
For more information on generating self-signed SSL certificates, go to
http://www.akadia.com/services/ssh_test_certificate.html.
Configure SSL for the Administration Console

To configure SSL for the Administration Console, you need a signed certificate.
1. Create a p12 keystore that includes the signed certificate and private key:
openssl pkcs12 -export -out signedcert.p12 -inkey [key_file] -in

[certificate_file] -name jetty -certfile gd_bundle.crt
Ensure that the keystore is readable by the Eucalyptus user.

2. Verify that the certificate was converted correctly:
keytool -exportcert -v -alias jetty -keystore signedcert.p12 -storetype pkcs12

> certificate.crt
keytool -printcert -file certificate.crt
3. Move the new certificate store into place:
mv signedcert.p12 /var/lib/eucalyptus/keys/signedcert.p12
chown eucalyptus:eucalyptus /var/lib/eucalyptus/keys/signedcert.p12
chmod 600 /var/lib/eucalyptus/keys/signedcert.p12
4. Create a temporary directory, and extract the eucalyptus-www jar:
mkdir /tmp/eucalyptus-www
cd /tmp/eucalyptus-www
unzip /usr/share/eucalyptus/eucalyptus-www-3.4.2.jar eucalyptus-jetty.xml

5. Edit eucalyptus-jetty.xml to point to the new keystore. The following example assumes that your new keystore is
stored in /var/lib/eucalyptus/keys/:
<Set name="keystore">/var/lib/eucalyptus/keys/signedcert.p12</Set>
<Set name="truststore">/var/lib/etc/eucalyptus/keys/signedcert.p12</Set>
<Set name="password">[yourkeystorepassword]</Set>
<Set name="keyPassword">[yourkeypassword]</Set>
<Set name="trustPassword">[yourkeystorepassword]</Set>
6. Copy the eucalyptus-jetty.xml file to /etc/eucalyptus/cloud.d/.

Important: This file contains the keys for your keystore. Ensure that it is protected, and can only be read
or written to by the eucalyptus user.
7. Restart Eucalyptus services:

After restarting Eucalyptus, verify that the system is up using euca-describe-services. You should now be
able to access the Admin UI over SSL at http://[CLC-IP]:8443/.
Configure SSL for LDAP

This topic details tasks required to configure SSL for LDAP.
To configure SSL for LDAP, make the following edits to your LIC template or file.
Tip: For more information about the LIC template and file, see LDAP/AD Integration Configuration.
1. Edit the use-ssl value to true.
"use-ssl":"true",
2. Edit the ignore-ssl-cert-validation value to false.
"ignore-ssl-cert-validation":"false",
Synchronize Components
To synchronize your Eucalyptus component machines with an NTP server, perform the following tasks.
1. Enter the following command on a machine hosting a Eucalyptus component:
# ntpdate pool.ntp.org
# service ntpd start
# chkconfig ntpd on
# ps ax | grep ntp
# hwclock --systohc
2. Repeat for each machine hosting a Eucalyptus component.
Configure Replay Protection

You can configure replay detection in the CLC to allow replays of the same message for a set time period. This might
be needed to ensure that legitimate requests submitted by automated scripts closely together (such as two requests to
describe instances issued within the same second) are not rejected as malicious.

Important: To protect against replay attacks, the CLC only caches messages for 15 minutes. So its important
that any client tools used to interact with the CLC have the Expires element set to a value less than 15 minutes
from the current time. This is usually not an issue with standard tools, such as euca2ools and Amazon EC2 API
Tools.
1. The CLC replay detection algorithm rejects messages with the same signatures received within 15 minutes. The time
within which messages with the same signatures are accepted is controlled by the
bootstrap.webservices.replay_skew_window_sec property. The default value of this property is
three seconds. To change this value, enter the following command:
bootstrap.webservices.replay_skew_window_sec=[new_value_in_seconds]
If you set this property to 0, Eucalyptus will not allow any message replays. This setting provides the best protection
against message replay attacks, but may break some of the client-side scripts that issue commands too quickly.
If you set this property to any value greater than 15 minutes plus the values of ws.clock_skew_sec (that is, to a value
>= 920 sec in the default installation), Eucalyptus disables replay detection completely.
2. When checking message timestamps for expiration, Eucalyptus allows up to 20 seconds of clock drift between the
machines. This is a default setting. You can change this value for the CLC at runtime by setting the
bootstrap.webservices.clock_skew_sec property as follows:
bootstrap.webservices.clock_skew_sec=[new_value_in_seconds]
Reserve Ports
Eucalyptus components use a variety of ports to communicate. The following table lists the all of the important ports
used by Eucalyptus.
Port Description
TCP 5005 DEBUG ONLY: This port is used for debugging Eucalyptus (using the --debug flag).
TCP 8080 Port for the administrative web user interface. Forwards to 8443. Configurable with
euca-modify-property.
TCP 8443 SSL port for the administrative web user interface. Configurable with
euca-modify-property.
TCP 8772 DEBUG ONLY: JMX port. This is disabled by default, and can be enabled with the --debug
or --jmx options for CLOUD_OPTS.
TCP 8773 Web services port for the CLC, Walrus, SC, and VB; also used for external and internal
communications by the CLC and Walrus. Configurable with euca-modify-property.
TCP 8774 Web services port on the CC. Configured in the eucalyptus.conf configuration file
TCP 8775 Web services port on the NC. Configured in the eucalyptus.conf configuration file.
TCP 8776 Used by the image cacher on the CC. Configured in the eucalyptus.conf configuration
file.
TCP 8777 Database port on the CLC
TCP 8779 (or next jGroups failure detection port on CLC, Walrus, VB and SC. If port 8779 is available, it will
available port, up to be used, otherwise, the next port in the range will be attempted until an unused port is found.
TCP 8849)

Port Description
TCP 8888 The default port for the Eucalyptus User Console. Configured in the
/etc/eucalyptus-console/console.init file.
TCP 16514 TLS port on Node Controller, required for node migrations
UDP 7500 Port for diagnostic probing on CLC, Walrus, SC, and VB
UDP 8773 HA membership port
TCP/UDP 53 DNS port on the CLC
Configure the Firewall

This topic provides guidelines for restricting network access and managing iptables rules.
Restricting Network Access

This section provides basic guidance on setting up a firewall around your Eucalyptus components. It is not intended to
be exhaustive.
On CLC, Walrus, SC, and VB, you should allow for the following jGroups traffic:
TCP connections between CLC, Walrus, SC, and VB on port 8779 (or the first available port in range 8779-8849)
UDP connections between CLC, Walrus, SC, and VB on port 7500
Multicast connections between CLC, Walrus, SC, and VB to IP 228.7.7.3 on UDP port 8773
On the CLC, you should additionally allow the following connections:
TCP connections from end-users on ports 8773 and 8443
TCP connections from CC and Eucalyptus instances (public IPs) on port 8773 (for metadata service)
TCP connections from Walrus, SC, and VB on port 8777
End-user and instance connections to DNS ports
On the CC, you should ensure that all firewall rules are compatible with the dynamic changes performed by Eucalyptus,
described in the section below. You should also allow the following connections:
TCP connections from CLC on port 8774
TCP connections from NC on port 8776, if CC image proxying is enabled
On Walrus, you should also allow the following connections:
TCP connections from end-users on port 8773
TCP connections from SC, NC, and VB on port 8773
TCP connections from CC on port 8773, if CC image proxying is enabled
On the SC, you should also allow the following connections:
TCP connections from CLC, NC, and VB on TCP port 8773
TCP connections from NC on TCP port 3260, if tgt (iSCSI open source target) is used for EBS storage
On the VMware Broker, you should also allow the following connections:
TCP connections from CC on port 8773
On the NC, you should allow the following connections:
TCP connections from CC on port 8775
TCP connections from other NCs on port 16514
DHCP traffic forwarding to VMs
Traffic forwarding to and from instances' private IP addresses

Managing iptables Rules for the CC

In Managed and Managed (No VLAN) modes, Eucalyptus flushes the CC's iptables rules for both filter and nat,
then it sets the default policy for the FORWARD chain in filter to DROP. At run time, the CC adds and removes rules
from FORWARD as users add and remove ingress rules from their active security groups. In addition, the nat table is
configured to allow VMs access to the external network using IP masquerading, and dynamically adds/removes rules
in the nat table as users assign and unassign public IPs to VMs at instance boot or run-time.
If you have rules you want to apply on the CC, make the following edit on the CC before you start Eucalyptus or while
Eucalyptus is stopped:
iptables-save > /etc/eucalyptus/iptables-preload
Caution: Performing this operation to define special iptables rules that are loaded when Eucalyptus starts could
cause Eucalyptus VM networking to fail. We recommend that you only do this if you are completely sure that
it will not interfere with the operation of Eucalyptus.
Configure Session Timeouts

To set the session timeouts in the User Console:
Modify the session.idle.timeout and session.abs.timeoutentries in the [server] section of the
configuration file. The session.idle.timeout value defines the number of seconds before an idle session is
timed out. The session.abs.timeout is the maximum length that any session can be active before being timed
out. All values are in seconds:
session.idle.timeout=1800
session.abs.timeout=43200
Configure LDAP
To synchronize your Eucalyptus component machines with an NTP server, perform the following tasks.
1. Enter the following command on a machine hosting a Eucalyptus component:
# ntpdate pool.ntp.org
# service ntpd start
# chkconfig ntpd on
# ps ax | grep ntp
# hwclock --systohc
2. Repeat for each machine hosting a Eucalyptus component.

Eucalyptus | Manage Reporting | 76
Manage Reporting
Eucalyptus provides two ways for getting metrics for your cloud: you can get a report directly from the Cloud Controller
(CLC), or you can get a report from data exported from the CLC and imported to a data warehouse.
When you install Eucalyptus, you automatically get the reporting system in place to generate reports from the CLC.
However, the down side to using the CLC for reports is latency. Because of this, Eucalyptus also supports a data
warehouse that resides outside the Eucalyptus system to store report data.
This section describes the concepts and best practices for Eucalyptus reporting, and how to generate reports.
Reporting Overview
Eucalyptus lets you generate reports to monitor cloud resource use. Each type of report is for a specified time range.
Eucalyptus supports the following report types:
Instance: The instance report provides information about the amount, duration, and utilization of all running instances.
Use this report to understand how many instances each user is running, whether your instance types are large enough,
etc.
S3: The S3 report provides information about the number of buckets and objects stored in Walrus. Empty buckets
are not reported. Use this report to understand the storage needs of each user and your cloud's storage needs.
Volume: The volume report provides information about the amount, duration, and size of all volumes in use. Use
this report to understand how many volumes are running, and what the storage size of each volume is.
Snapshot: The snapshot report provides information about the amount of your cloud's snapshots. Use this report to
understand how many snapshots there are and from which volumes, and what the size of each snapshot is.
Elastic IP: The elastic IP report provides information about the lifecycle of elastic IPs in your cloud, including which
user is using which IPs, which IPs are currently in use, and how often and for how long does IP get allocated. Use
this report to understand how many IPs each user is assigned and to which instance the IP is assigned to, and the
running time of each IP.
Capacity: The capacity report provides overall information about your cloud's resources, including instance types
and storage. Use this report to determine if your resources are being used adequately, and whether you need to scale
up or down.
You can generate reports in either CSV or HTML formats for use with external tools.
If you want to use the CLC for your reports, see Reporting Tasks: CLC.
If you want to use the data warehouse for your reports, see Set Up the Data Warehouse.
Understanding the Report Format

All Eucalyptus reports contain a usage section. The instance report also contains a running time section.
The usage section shows cumulative (cumul.) metrics for each zone, account, and user. Then the report lists metrics for
each resource. The column for each resource type (for example, Instance Id or Volume Id displays cumul. for all
cumulative metrics. When individual resources are reported, the individual resource's name or identifier displays in that
column.
Instance Report
The Instance Report has the following column headings:
Heading Description
Net Total GB In Total instance network input communication between

instances with in the cloud

Heading Description
Net Total GB Out Total instance network output communication between

instances with in the cloud
Net External GB In Total instance network input communication between
connections from outside of the cloud
Net External GB Out Total instance network output communication between
connections from outside of the cloud
Disk GB Read Total instance disk reads
Disk GB Write Total instance disk writes
Disk IOPS (M) Read Disk read transfer rate and I/Os per second
Disk IOPS (M) Write Disk write transfer rate and I/Os per second
Disk Time (hrs) Read Total disk read time per hour
Disk Time (hrs) Write Total disk write time per hour
S3 Report
The S3 Report has the following column headings:
Heading Description
Bucket Name of the container used to store objects

# Objects Total number of objects created
# Snap Total number of snapshots created
Total Obj Size (BYTES) Total object size in bytes
Obj GB-Days Object size reporting interval, in gigabytes
Volume Report
The S3 Report has the following column headings:
Heading Description
Instance Id Identifier of the instance

Volume Id Identifier of the Eucalyptus block volume attached to the
instance
# Vol Total number of volumes created
Size (BYTES) Size of the volumes, in bytes
GB-Days Gigabytes used per day
Snapshot Report
The Snapshot Report has the following column headings:
Heading Description
Volume Id Identifier of the Eucalyptus block volume

Heading Description
Snapshot Id Identifier of the snapshot

# Snap Total number of snapshots created
Size (BYTES) Size of the snapshots, in bytes
GB-Days Gigabytes used per day
Elastic IP Report
The Elastic IP Report has the following column headings:
Heading Description
Elastic IP IP address
Instance ID Identifier of the instance that is assigned the elastic IP
# IPs Number of IPs used by a user(s)
Duration Length in time that the elastic IP is in use by an instance
Capacity Report
The Capacity Report has the following column headings:
Heading Description
Resource The resource whose capacity is being reported. A resource

can be:
S3 Storage in GB
Elastic IP count
EBS Storage in GB
EC2 Compute in cores
EC2 Disk in GB
EC2 Memory in MB
VM Types by type (for example, c1.medium) count
Available Quantity of the resource free for use

Total Total available quantity for the resource
Reporting Best Practices

This topic provides guidelines for using the reporting feature in Eucalyptus.
Eucalyptus recommends that you run reports from the data warehouse. The Cloud Controller (CLC) generates the
data. The data warehouse is a store of the stale data exported from the CLC.
Monitor the rate of information collected and written to the CLC database. The database expands through usage and
event-driven records. More report information stored in the CLC database lessens the effectiveness of the CLC to
perform its cloud duties. If the database gets too large, export the data to the data warehouse then delete the data
from the CLC.
Be careful about deleting data in the CLC. If you delete data in the CLC after you export it, you should use the data
warehouse to generate all future reports. This ensures that you have a comprehensive picture of your cloud data.
You can't import data from different clouds into the same data warehouse.

Reporting Tasks
This section explains the tasks associated with the Eucalyptus reporting feature. These tasks are divided into where you
will run reports from, either the Cloud Controller (CLC) or the data warehouse. Follow the steps listed below to configure
and then find the tasks associated with reports.
When you install Eucalyptus, you automatically get the ability to run reports against the CLC. This reporting functionality
is done in the Eucalyptus Administrator Console. For further information, see Reporting Tasks: CLC.
Many environments choose to focus the CLC function on the cloud processes, rather than on reporting processes. For
these needs, Eucalyptus supports exporting data from the CLC to a data warehouse and running reports against the data
in that data warehouse. For more information, see Reporting Tasks: Data Warehouse.
Reporting Tasks: CLC

A Eucalyptus installation gives you the ability to run reports against your Cloud Controller (CLC). For information
about each report type, see the following sections.
Create a Report: CLC

To create a report using data on the Cloud Controller (CLC) perform the steps listed in this topic.
1. Open the Eucalyptus Administrator Console.
2. Click the Usage Report link in the Resource Management section.
The Usage Report page displays.
3. Choose the following fields:
Enter the starting date in the From field.
Enter the end date in the Through field.
Enter the report type you want to generate in the Report type field.
4. Click Generate.
The report displays on the screen.
To download the report, click the CSV or HTML icon at the bottom of the screen.
Reporting Tasks: Data Warehouse

Eucalyptus recommends that you run your reports against the data warehouse. Setting up a data warehouse allows you
to remove data from the Cloud Controller (CLC). This ensures that you have enough disk space to operate the CLC.
This section contains information needed to install the data warehouse and run those reports.
Once the data warehouse is installed, the workflow for running reports against the data warehouse is:
1. Export the data from the CLC. For more information, see Export Data.
2. Import the data to the data warehouse. For more information, see Import Data.
3. Create the report from the data in the data warehouse. For more information, see Create a Report: Data Warehouse.
Set Up the Data Warehouse

This section explains how to set up the data warehouse and how to generate reports using data in the data warehouse.
Install the Data Warehouse
To install the Data Warehouse on hosts running RHEL 6 or CentOS 6:
Important: Do not install the Data Warehouse on a machine running Eucalyptus services.

1. Configure the Eucalyptus package repository on the Data Warehouse host:
yum --nogpgcheck install

http://downloads.eucalyptus.com/software/eucalyptus/3.4/centos/6/x86_64/
eucalyptus-release-3.4.noarch.rpm
2. Install the Data Warehouse packages:
yum install eucadw
3. Install the PostgreSQL server:
yum install postgresql91-server
You are now ready to Configure the Database.

Configure the Database
To configure the database in your data warehouse perform the tasks
1. Initialize the PostgreSQL database.
service postgresql-9.1 initdb
2. Start the PostgreSQL service.
service postgresql-9.1 start
3. Log in to the PostgreSQL server.
su - postgres
4. Start the PostgreSQL terminal.
psql
5. At the psql prompt run:
create database eucalyptus_reporting;

create user eucalyptus with password 'mypassword';
grant all on database eucalyptus_reporting to eucalyptus;
\q
6. Log out.
exit
7. Edit the /var/lib/pgsql/9.1/data/pg_hba.conf file to contain the following content:
local all all password

host all all 127.0.0.1/32 password
host all all ::1/128 password
8. Reload the PostgreSQL service.
service postgresql-9.1 reload

Your machine is now configured as a data warehouse.
Check the Data Warehouse Status

To check the data warehouse status perform the steps listed in this topic.
eucadw-status -p <your_password>
For more information about eucadw-status, go to the Euca2ools Reference Guide.
Export Data
To export data from the Cloud Controller (CLC):
Run the following command:
eureport-export-data [filename] -s [start_date] -e [end_date]

-d
For more information about the eureport-export-data command, go to the Euca2ools Reference Guide.
Import Data
To import data into the data warehouse:
eucadw-import-data -e [filename] -p [your_password]
where filename is the name of the imported file that you want to get data from.
For more information about eucadw-import-data, go to the Euca2ools Reference Guide.
Create a Report: Data Warehouse

To create a report from data in the data warehouse:
eucadw-generate-report -s <start_date> -e <end_date> -t <report_type> -p

<your_password
where:
start_date is the date you want data from. For example, 2012-11-05.
end_date is the date you want data to.
report_type is the type of report you want to run: instance, S3, volume, snapshot, IP, or capacity.
your_password is the administrator password you configured in the data warehouse installation.
For more information about eucadw-generate-report, go to the Euca2ools Reference Guide.

Eucalyptus | Eucalyptus Commands | 82
Eucalyptus Commands
This section contains reference information for Eucalyptus administration and reporting commands.
Eucalyptus Administration Commands

Eucalyptus offers commands for common administration tasks and inquiries. This section provides a reference for these
commands.
euca_conf
This is the main configuration file for Eucalyptus.
Syntax
euca_conf
Options
Option Description Required
--initialize Begin the one-time initialization of the CLC No

--heartbeat Return heartbeat data for the specified host No
--synckey No
--no-rsync Do not use rsync when registering No
--no-scp Do not use scp when registering No
--skip-scp-hostcheck Skip scp interactive host keycheck No
--get-credentials Download credentials to the specified zip file. By default, the admin No
credentials will be downloaded but this can be adjusted with the
--cred-user option. Each time this is called, new X.509 certificates
will be created for the specified user.
--cred-account Set get-credentials for the specified account No
--cred-user Set get-credentials for the specified user No
--register-nodes Add specified NCs to Eucalyptus No
--deregister-nodes Remove specified NC from Eucalyptus No
--register-arbitrator Add arbitrator service to Eucalyptus No
--deregister-arbitrator Remove arbitrator service from Eucalyptus No
--register-cloud Add new Cloud Controller to Eucalyptus No
--register-cluster Add a Cluster Controller to Eucalyptus No
--deregister-cluster Remove a Cluster Controller from Eucalyptus No
--register-walrus Add Walrus to Eucalyptus No
--deregister-walrus Remove Walrus from Eucalyptus No

--register-sc Add Storage Controller to Eucalyptus No

--deregister-sc Remove Storage Controller from Eucalyptus No
--register-vmwarebroker Add VMware Broker to Eucalyptus No
-deregister-vmwarebroker Remove VMware Broker from Eucalyptus No
--list-walruses Return all registered Walruses No
--list-clouds Return all registered Cloud Controllers No
--list-clusters List all registered Cluster Controllers No
--list-arbitrators Return all registered arbitrator services No
--list-vmwarebrokers Return all registered VMware Brokers No
--list-nodes Return all registered Node Controllers No
--list-components return all registered Eucalyptus components No
--list-services Return all registered services No
-list-scs Return all registered Storage Controllers No
--no-sync Used with --register-* to skip syncing keys No
-d Point Eucalyptus to the specified directory No
--cc-port Set the Cluster Controller to the specified port No
--sc-port Set the Storage Controller to the specified port No
--walrus-port Set Walrus to the specified port No
--nc-port Set the Node Controller to the specified port No
--instances Set the instance path No
--hypervisor Set which hypervisor to use. No
Valid values: xen | kvm
--user Set the user to use for EUCA_USER No

--dhcpd Set the DHCP daemon binary to the specified path No
--dhcp_user Set the specified user name to run dhcpd as No
--bridge Set the bridge as the specified name No
--name Returns the value for the specified name No
--import-conf Import variables from a specified eucalyptus.conf file No
--upgrade-conf Upgrade eucalyptus.conf from the specified older installation No
file
--setup Perform initial setup No
--enable Enable specified service at next start No
Valid values: cloud | walrus | sc | vmwarebroker
--disable Disable specified service at next start No

Valid values: cloud | walrus | sc | vmwarebroker

--check Pre-flight checks No

Valid values: common | vmware
-P, --partition Name of partition. Used with --register-* and No

--deregister-*
-H, --host Name or IP address of host. Used with --register-* No
-C, --component Name of the component. Used with --register-* and No
--deregister-*
--help-register Display help for register deregister No
Common Options
Option Description
--region region Region to direct requests to. Only valid for EC2 endpoints.
-U,--url url URL of the cloud to connect to. Expects an EC2 endpoint /services/Eucalyptus.
-I,--access-key-id User's access key ID
access_key_id
-S,--secret-key User's secret key
secret_key
--config Read credentials and cloud settings from the specified config file.
configuration_path
Default: $HOME/.eucarc or /etc/euca2ools/eucarc.
--debug Prints what the command sends to the server and what it receives from the server. Use
when you're trying to debug Euca2ools.
--debugger Enable interactive debugger on error
-h,--help Display the manual page for the command.
--version Display the version of this tool
euca-describe-properties
This command lists properties.
Syntax
euca-describe-properties
Options
None
Common Options
Option Description

Option Description
access_key_id
secret_key
configuration_path
euca-modify-property
This command modifies a Eucalyptus cloud property.
Syntax
euca-modify-property
Options
-p, --property Set the named property to the specified value. Conditional
name=value
-r name Resets the named property to the default value. No
Common Options
Option Description
access_key_id
secret_key
configuration_path

Option Description

This command returns information about all running services.
Syntax
Options
-A, --all Include all public service information. Reported state information is determined No
by the view available to the target host, which should be treated as advisory (See
documentation for guidance on interpreting this information).
--system-internal Include internal services information No
Note: This information is only for the target host.
--user-services Include services that are user-facing and co-located with some other top-level No
service
Note: This information is only for the target host.
-T, Filter services by specified component type No

--filter-type
-H, Filter services by specified host No
--filter-host
-F, Filter services by state No
--filter-state
-P, Filter services by specified partition No
--filter-partition
-E, --events Return service event details No
-events-verbose Return verbose service event details No
Common Options
Option Description
access_key_id

Option Description

secret_key
configuration_path
Eucalyptus Report Commands

Eucalyptus lets you to generate reports for your cloud. These reports show data useful for understanding how your
resources are being allocated, who is using the resources, and how much time resources are running.
Eucalyptus lets you to get reports from either the Cloud Controller (CLC) or the data warehouse. Reports from the data
warehouse are from data exported from the CLC.
Commands that begin the eureport- are for the CLC. For more information, see Reports Commands: CLC. Commands
that begin with eucadw- are for the data warehouse. For more information, see Report Commands: Data Warehouse.
Reports Commands: CLC

This section contains reference information for reporting commands that use the Cloud Controller (CLC).
Normally, you will just use eureport-generate-report command. If you want to run reports agains the data warehouse,
you need to export data from the CLC using the eureport-export-data command.
Caution: Be careful if you use the eureport-delete-data command. Once you delete data from the
CLC, you have to run reports using the data warehouse. You can't use the CLC for reporting.
eureport-generate-report
Generates a report from the CLC.
Syntax
eureport-generate-report [filename] [-t report_type]

[-f report_format] [-s start_date] [-e end_date]
[--size-unit size_unit] [--time-unit time_unit]
[--size-time-size-unit size_time_size_unit]
[--size-time-time-unit size_time_time_unit] [-d] [-F]
Options
filename Path to the resulting reporting reporting file. No

-t, --type Type of report to generate. No

report_type
Valid values: elastic-ip | instance | s3 | snapshot | volume
Default: instance
-f, --format Format of report generate. No

report_format
Valid values: csv | html
Default: html
-s, --start-date Inclusive start date for the exported data in YYYY-MM-DD format. Yes
start_date For example, 2012-08-19.
-e, --end-date Exclusive end date for the exported data in YYYY-MM-DD format. Yes
end_date For example, 2012-08-26.
--size-unit The level of granularity for reporting metrics by size alone. No
size_unit
Valid values: b | kb | mb | gb
Default: gb
--time-unit The level of granularity for reporting interval. No

time_unit
Valid values: seconds | minutes | hours | days
Default: days
--size-time-size-unit The level of granularity for reporting size metrics for the time interval. No
size_time_size_unit
Default: gb
--size-time-time-unit The level of granularity for reporting size metrics for the time interval. No
size_time_time_unit
Default: days
-d, --dependencies Include event dependencies from outside the requested time period. No
-F, --force Overwrite output file if it exists. No
Common Options
Option Description
access_key_id
secret_key
configuration_path

Option Description
Output
Eucalyptus returns a message stating that report was generated to the file you specified.
Example
eureport-generate-report -s 2012-11-05 -e 2012-11-07 --size-unit=b

--size-time-size-unit=b -t instance Report2.html
Exported data to Report2.html
eureport-delete-data
Deletes report data generated before a specified date.
Syntax
eureport-delete-data -s start_date -e end_date

[-d] [filename] [-F]
Options
-s, --start-date Inclusive start date for the deleted report data in YYYY-MM-DD Yes
start_date format. For example, 2012-08-19.
-e, --end-date Exclusive end date for the deleted report data. For example, Yes
end_date 2012-08-26.
filename Path to the reporting data export file No
Common Options
Option Description
access_key_id
secret_key

Option Description
configuration_path
Output
Eucalyptus returns a message detailing the number of data entries it deleted.
Example
eureport-delete-data -e 2012-11-06
Deleted 153415 reporting data entries.
eureport-export-data
Exports report data to a file. This file can be imported into the data warehouse.
Syntax
eureport-export-data [filename] -s start_date -e end_date

[-d] [-F]
Options
filename Path to the resulting reporting data export file No

-s, --start-date Inclusive start date for the exported data in YYYY-MM-DD format. Yes
Common Options
Option Description
access_key_id

Option Description

secret_key
configuration_path
Output
Eucalyptus returns a message stating that the data was exported to the file you specified.
Example
eureport-export-data -s 2012-11-05 -e 2012-11-07 -F iReport.dat

Exported data to iReport.dat
Report Commands: Data Warehouse

This section contains the reference for reporting commands that use the data warehouse.
The workflow for reporting against the data is the data warehouse is as follows:
1. Export data from the Cloud Controller (CLC) using the eureport-export-data command.
2. Import the data into the data warehouse using the eucadw-import-data command.
3. Run a report using the eucadw-generate-report command.
eucadw-status
Checks for a connection to the data warehouse and for available data stored in the data warehouse.
Syntax
eucadw-status -p password
Options
-p, password Administrator password you configured in the data warehouse Yes
installation.
Common Options
None.
Output
Eucalyptus returns the connection status.

Examples
The following example shows a successful connection.
eucadw-status -p mypassword
Connected to database: localhost:8777/reporting as eucalyptus
Data present from 2012-05-27 22:25:01 to 2012-09-24 22:58:01
The following example shows an unsuccessful connection.
eucadw-status -p mypassword
Database access failed with the following details.
SQLState : 3D000
Error Code: 0
FATAL: database "blah" does not exist
eucadw-import-data
Imports data into the data warehouse. This data is in a specified file that has first been generated from the
eureport-export-data command.
Syntax
eucadw-import-data -e filename -p password[-r]
Options
-e, --export Name of the export file you want to import into the data warehouse. Yes
export_filename
installation.
-r, --replace Use this option if you want to replace an existing file that has the same No
name as the file you are importing.
Common Options
None.
Output
Eucalyptus returns a message detailing the number of entries imported and the timefrome of those entries.
Example
eucadw-import-data -e iReport.dat -p mypassword

Imported 45 entries from 2012-11-07 23:08:17 to 2012-11-07 23:37:59
eucadw-generate-report
Generates a report from the data warehouse.

Syntax
eucadw-generate-report -p password[filename]
[-t report_type] [-f report_format] [-s start_date]
[-e end_date] [--size-unit size_unit]
[--time-unit time_unit]
[--size-time-size-unit size_time_size_unit]
[--size-time-time-unit size_time_time_unit] [-d] [-F]
Options
installation.
filename Name of the file to output report data to. If you do not enter a filename, No
Eucalyptus generates report data to the console.
-t, --type Type of report to generate. No
report_type
Valid values: elastic-ip | instance | s3 | snapshot | volume
Default: instance
-f, --format Format of report generate. No

report_format
Valid values: csv | html
Default: html
-s, --start_date Inclusive start date for the exported data in YYYY-MM-DD format. No
Default: html
--size-unit The level of granularity for reporting metrics by size alone. No
size_unit
Default: gb
--time-unit The level of granularity for reporting interval. No

time_unit
Default: days
--size-time-size-unit The level of granularity for reporting size metrics for the time interval. No
size_time_size_unit
Default: gb
--size-time-time-unit The level of granularity for reporting size metrics for the time interval. No
size_time_time_unit
Default: DAYS

Common Options
None.
Output
Eucalyptus returns a message stating that report was generated to the file you specified.
Example
eucadw-generate-report -s 2012-11-05 -e 2012-11-07 --size-unit=b

--size-time-size-unit=b -t instance Report2.html -p mypassword
Exported data to Report2.html
Modifiable Eucalyptus Properties

Eucalyptus exposes a number of properties that can be configured using the euca-modify-property command.
This topic lists the most common configurable properties.
Property Description
authentication.ldap_integration_configuration LDAP integration configuration, in JSON

authentication.websession_life_in_minutes Web session lifetime in minutes
bootstrap.hosts.state_initialize_timeout Timeout for state initialization (in msec).
bootstrap.hosts.state_transfer_timeout Timeout for state transfers (in msec).
bootstrap.notifications.batch_delay_seconds Interval (in seconds) during which a notification will be delayed to allow
for batching events for delivery.
bootstrap.notifications.digest Send a system state digest periodically.
bootstrap.notifications.digest_frequency_hours Period (in hours) with which a system state digest will be delivered.
bootstrap.notifications.digest_only_on_errors If sending system state digests is set to true, then only send the digest
when the system has failures to report.
bootstrap.notifications.email_from From email address used for notification delivery.
bootstrap.notifications.email_from_name From email name used for notification delivery.
bootstrap.notifications.email_subject_prefix Email subject used for notification delivery.
bootstrap.notifications.email_to Email address where notifications are to be delivered.
bootstrap.notifications.include_fault_stack Period (in hours) with which a system state digest will be delivered.
bootstrap.notifications.email.email_smtp_host SMTP host to use when sending email. If unset, the following values
are tried: 1) the value of the 'mail.smtp.host' system property, 2)
localhost, 3) mailhost.
bootstrap.notifications.email.email_smtp_port SMTP port to use when sending email. Defaults to 25
bootstrap.servicebus.hup Do a soft reset.
bootstrap.servicebus.max_outstanding_messages Max queue length allowed per service stage.
bootstrap.servicebus.workers_per_stage Max queue length allowed per service stage.
bootstrap.timer.rate Amount of time (in milliseconds) before a previously running instance
which is not reported will be marked as terminated.

bootstrap.topology.coordinator_check_backoff_secs Backoff between service state checks (in seconds).

bootstrap.topology.local_check_backoff_secs Backoff between service state checks (in seconds).
bootstrap.tx.concurrent_update_retries Maximum number of times a transaction may be retried before giving
up.
bootstrap.webservices.async_internal_operations Execute internal service operations from a separate thread pool (with
respect to I/O).
bootstrap.webservices.async_operations Execute service operations from a separate thread pool (with respect to
I/O).
bootstrap.webservices.async_pipeline Execute service specific pipeline handlers from a separate thread pool
(with respect to I/O).
bootstrap.webservices.channel_connect_timeout Channel connect timeout (ms).
bootstrap.webservices.channel_keep_alive Socket keep alive.
bootstrap.webservices.channel_nodelay Server socket TCP_NODELAY.
bootstrap.webservices.channel_reuse_address Socket reuse address.
bootstrap.webservices.client_http_chunk_buffer_max Server http chunk max.
bootstrap.webservices.client_idle_timeout_secs Client idle timeout (secs).
bootstrap.webservices.client_internal_timeout_secs Client idle timeout (secs).
bootstrap.webservices.client_pool_max_mem_per_conn Server worker thread pool max.
bootstrap.webservices.client_pool_max_threads Server worker thread pool max.
bootstrap.webservices.client_pool_timeout_millis Client socket select timeout (ms).
bootstrap.webservices.client_pool_total_mem Server worker thread pool max.
bootstrap.webservices.clock_skew_sec A max clock skew value (in seconds) between client and server accepted
when validating timestamps in Query/REST protocol.
bootstrap.webservices.cluster_connect_timeout_millis Cluster connect timeout (ms).
bootstrap.webservices.default_aws_sns_uri_scheme Default scheme for AWS_SNS_URL in eucarc.
bootstrap.webservices.default_ec2_uri_scheme Default scheme for EC2_URL in eucarc.
bootstrap.webservices.default_euare_uri_scheme Default scheme for EUARE_URL in eucarc.
bootstrap.webservices.default_eustore_url Default EUSTORE_URL in eucarc.
bootstrap.webservices.default_https_enabled Default scheme prefix in eucarc.
bootstrap.webservices.default_s3_uri_scheme Default scheme for S3_URL in eucarc.
bootstrap.webservices.http_max_chunk_bytes Maximum HTTP chunk size (bytes).
bootstrap.webservices.http_max_header_bytes Maximum HTTP headers size (bytes).
bootstrap.webservices.http_max_initial_line_bytes Maximum HTTP initial line size (bytes).
bootstrap.webservices.oob_internal_operations Execute internal service operations out of band from the normal service
bus.
bootstrap.webservices.pipeline_read_timeout_seconds Server socket read time-out.
bootstrap.webservices.pipeline_write_timeout_seconds Server socket write time-out.

bootstrap.webservices.port Port to bind (note: port 8773 is always bound regardless).

bootstrap.webservices.replay_skew_window_sec Time interval duration (in seconds) during which duplicate signatures
will be accepted to accomodate collisions for legitimate requests inherent
in Query/REST signing protocol.
bootstrap.webservices.server_boss_pool_max_mem_per_conn Server max selector memory per connection.
bootstrap.webservices.server_boss_pool_max_threads Server selector thread pool max.
bootstrap.webservices.server_boss_pool_timeout_millis Service socket select timeout (ms).
bootstrap.webservices.server_boss_pool_total_mem Server worker thread pool max.
bootstrap.webservices.server_channel_nodelay Server socket TCP_NODELAY.
bootstrap.webservices.server_channel_reuse_address Server socket reuse address.
bootstrap.webservices.server_pool_max_mem_per_conn Server max worker memory per connection.
bootstrap.webservices.server_pool_max_threads Server worker thread pool max.
bootstrap.webservices.server_pool_timeout_millis Service socket select timeout (ms).
bootstrap.webservices.server_pool_total_mem Server max worker memory total.
bootstrap.webservices.statistics Record and report service times.
bootstrap.webservices.use_dns_delegation Use DNS delegation for eucarc.
bootstrap.webservices.use_instance_dns Use DNS names for instances.
bootstrap.webservices.ssl.server_alias Alias of the certificate entry in euca.p12 to use for SSL for webservices.
bootstrap.webservices.ssl.server_password Password of the private key corresponding to the specified certificate
for SSL for webservices.
bootstrap.webservices.ssl.server_ssl_ciphers SSL ciphers for webservices.
bootstrap.webservices.unknown_parameter_handling Allows unknown parameters to be ignored for all services or treated an
an error for all services. Valid values:
default: Use each services default handling (i.e., error with EC2,
ignore unknown parameters for other services)
ignore: All services ignore unknown parameters
error: All services fail with an error for unknown parameters
cloud.addresses.dodynamicpublicaddresses Public addresses are assigned to instances by the system as available.

cloud.addresses.maxkillorphans Number of times an orphaned address is reported by a cluster before it
is reclaimed by the system.
cloud.addresses.orphangrace Time after the last recorded state change where an orphaned address
will not be modified by the system (minutes).
cloud.addresses.systemreservedpublicaddresses Public addresses are assigned to instances by the system only from a
pool of reserved instances whose size is determined by this value.
cloud.cluster.disabledinterval The time period between service state checks for a Cluster Controller
which is DISABLED.
cloud.cluster.enabledinterval The time period between service state checks for a Cluster Controller
which is ENABLED.

cloud.cluster.notreadyinterval The time period between service state checks for a Cluster Controller
which is NOTREADY.
cloud.cluster.pendinginterval The time period between service state checks for a Cluster Controller
which is PENDING.
cloud.cluster.requestworkers The number of concurrent requests which will be sent to a single Cluster
Controller.
cloud.cluster.startupsyncretries The number of times a request will be retried while bootstrapping a
Cluster Controller.
cloud.images.defaultkernelid The default used for running images which do not have a kernel specified
in either the manifest, at register time, or at run-instances time.
cloud.images.defaultramdiskid The default used for running images which do not have a ramdisk
specified in either the manifest, at register time, or at run-instances time.
cloud.images.defaultvisibility The default value used to determine whether or not images are marked
'public' when first registered.
cloud.network.global_max_network_index Default max network index.
cloud.network.global_max_network_tag Default max vlan tag.
cloud.network.global_min_network_index Default min network index.
cloud.network.global_min_network_tag Default min vlan tag.
cloud.network.network_index_pending_timeout Minutes before a pending index allocation timesout and is released.
cloud.vmstate.ebs_volume_creation_timeout Amount of time (in minutes) before a EBS volume backing the instance
is created
cloud.vmstate.instance_subdomain Subdomain to use for instance DNS.
cloud.vmstate.instance_timeout Amount of time (in minutes) before a previously running instance which
is not reported will be marked as terminated.
cloud.vmstate.mac_prefix Prefix to use for instance MAC addresses.
cloud.vmstate.max_state_threads Maximum number of threads the system will use to service blocking
state changes.
cloud.vmstate.network_metadata_refresh_time Maximum amount of time (in seconds) that the network topology service
takes to propagate state changes.
cloud.vmstate.shut_down_time Amount of time (in minutes) before a VM which is not reported by a
cluster will be marked as terminated.
cloud.vmstate.stopping_time Amount of time (in minutes) before a stopping VM which is not reported
by a cluster will be marked as terminated.
cloud.vmstate.terminated_time Amount of time (in minutes) that a terminated VM will continue to be
reported.
cloud.vmstate.tx_retries Number of times to retry transactions in the face of potential concurrent
update conflicts.
cloud.vmstate.volatile_state_interval_sec Period (in seconds) between state updates for actively changing state.
cloud.vmstate.volatile_state_timeout_sec Timeout (in seconds) before a requested instance terminate will be
repeated.

<partition>.cluster.addressespernetwork Number of total addresses per network (including unusable gateway

addresses controlled by the system)
<partition>.cluster.maxnetworkindex Maximum usable network index (0 < x < max_network_index)
<partition>.cluster.maxnetworktag Maximum vlan tag to use (0 < min_vlan < x < 4096)
<partition>.cluster.minnetworkindex Maximum usable network index (0 < min_network_index < x)
<partition>.cluster.minnetworktag Minimum vlan tag to use (0 < x < max_vlan <= 4096)
<partition>.cluster.networkmode Currently configured network mode
<partition>.cluster.sourcehostname Alternative address which is the source address for requests made by
the component to the cloud controller.
<partition>.cluster.usenetworktags Indicates whether vlans are in use or not.
<partition>.cluster.vnetnetmask Netmask used by the cluster's virtual private networking.
<partition>.cluster.vnetsubnet IP subnet used by the cluster's virtual private networking.
<partition>.cluster.vnettype IP version used by the cluster's virtual private networking.
<partition>.storage.majornumber AOE Major Number
<partition>.storage.maxtotalvolumesizeingb Total disk space reserved for volumes
<partition>.storage.maxvolumesizeingb Max volume size
<partition>.storage.minornumber AOE Minor Number
<partition>.storage.shouldtransfersnapshots Should transfer snapshots
<partition>.storage.storageinterface Storage network interface.
<partition>.storage.storeprefix Prefix for ISCSI device
<partition>.storage.tid Next Target ID for ISCSI device
<partition>.storage.volumesdir Storage volumes directory.
<partition>.storage.zerofillvolumes Should volumes be zero filled.
reporting.default_size_time_size_unit Default size-time size unit (GB-days, etc)
reporting.default_size_time_time_unit Default size-time time unit (GB-days, etc)
reporting.default_size_unit Default size unit
reporting.default_time_unit Default time unit
reporting.default_write_interval_secs How often the reporting system writes instance snapshots
system.dns.dnsdomain Domain name to use for DNS.
system.dns.nameserver Nameserver address.
system.dns.registrationid Unique ID of this cloud installation.
walrus.blockdevice DRBD block device
walrus.resource DRBD resource name
walrus.storagedir Path to buckets storage
walrus.storagemaxbucketsizeinmb Maximum size per bucket
walrus.storagemaxbucketsperaccount Maximum number of buckets per account

walrus.storagemaxcachesizeinmb Image cache size

walrus.storagemaxtotalsnapshotsizeingb Disk space reserved for snapshots
www.http_port Listen to HTTP on this port.
www.httpproxyhost Http Proxy Host
www.httpproxyport Http Proxy Port
www.https_ciphers SSL ciphers for HTTPS listener.
www.https_port Listen to HTTPs on this port.

Eucalyptus | Advanced Storage Configuration | 100
Advanced Storage Configuration

This section covers advanced storage provider configuration options.
EMC VNX Advanced Configuration

This section contains advanced configuration, best practices, and troubleshooting tips for the EMC VNX SAN provider.
Configure EMC VNX Synchronous Snapshots

To configure synchronous snapshots for an EMC VNX SAN perform the tasks listed in this topic.
Setting the <partition>.storage.enablesyncsnaps property to true will cause snapshots to be set
synchronously during a euca-create-snapshot operation. In this mode, the snapshot is created synchronously
before the euca-create-snapshot command returns, while the copy and upload to Walrus still takes place
asynchronously. This helps ensure that the euca-create-snapshot command returns quickly.
If the CLC loses the connection with the SC or if the connection times out (the default timeout is 60 seconds), the SC
will detect the connection has been closed and will mark the snapshot as failed and will clean up. This detection occurs
after the VNX snapshot has been created, but before it initiates the thread that performs the asynchronous migration and
transfer of the snapshot LUN to Walrus. When using synchronous snapshot mode, if the CLC returns an error to the
user on the euca-create-snapshot command then the snapshot will be marked as failed when listing snapshots
using the euca-describe-snapshots command.
To configure synchronous snapshots for an EMC VNX SAN:
Set the <partition>.storage.enablesyncsnaps property to true :
euca-modify-property -p mypartition.storage.enablesyncsnaps=true
You have now successfully configured synchronous snapshots for your EMC VNX SAN installation.
Best Practices for Multipathing with EMC VNX

This topic details some best practice suggestions for multipathing with EMC VNX.
Note: FEATURE PREVIEW: The multipathing feature is not yet complete, and may change or be removed
from future releases. It is included in this release so that users can try it out and provide feedback.
The primary goals for multipathing with EMC VNX as a Eucalyptus EBS backend are to:
Avoid single points of failure
Maximize bandwidth for data access
Isolate control traffic from data traffic to avoid performance problems
To achieve these goals, some best practice suggestions for multipathing are:
Have at least two distinct networks for the data paths between NC/SC hosts and the SAN, so that there is no single
point failure on the data path.
Have separate network interfaces for NC and SC data and control traffic, to minimize the traffic interferences and
maximize data bandwidth. Data access interfaces can use larger pipes, like 10GB Ethernet.
Connect both SPs on the SAN to all of the data access networks.
The following diagram shows a typical multipathing configuration with EMC VNX. In this diagram, NC/SC hosts have
3 network interfaces: data port 0 and data port 1 for iSCSI data access, and the control port, which is used for control
messages for Eucalyptus internal traffic. Each of the data port connects to a separate switch: switch 0 and switch 1. Each

of the SAN storage processors, SP A and SP B, connects to both switches. In this diagram, we have 4 distinct iSCSI
paths for each storage volume:
1. Data port 0 Switch 0 SP A
2. Data port 0 Switch 0 SP B
3. Data port 1 Switch 1 SP A
4. Data port 1 Switch 1 SP B
In this scenario, failure of any of the paths will not affect the storage access to the volumes:
Troubleshooting EMC VNX Multipathing

This topic is intended to help you troubleshoot EMC VNX multipathing.
Note: FEATURE PREVIEW: The multipathing feature is not yet complete, and may change or be removed
from future releases. It is included in this release so that users can try it out and provide feedback.
The Eucalyptus EMC VNX Multipathing feature requires the following to function properly:
Properly installed and configured Linux Device Mapper Multipathing software on both the Storage Controller and
Node Controller hosts.
Correctly configured iSCSI path system property and related STORAGE_INTERFACES parameters in the
eucalyptus.conf configuration file for both SC and NC.
Prerequisites for Before you start diagnosing the problems with multipathing, make sure you set the proper logging
Troubleshooting level on both SC and NC machines, so that you can get detailed failure logs. To do that:
Typical
Set the cloud.euca_log_level system property to DEBUG

Multipathing Uncomment the LOGLEVEL=DEBUG entry in the eucalyptus.conf file on the NC, and
Failures then restart the NC service
General The following are general tips to help diagnose multipathing problems:
Troubleshooting
Make sure you turn on the DEBUG log level for both SC and NC so that you can get detailed
Techniques for
information from the logs.
Multipathing
Failures Eucalyptus calls some external Perl scripts to perform the actual iSCSI connect/disconnect
operations. These scripts are:
/usr/share/eucalyptus/connect_iscsitarget.pl
/usr/share/eucalyptus/disconnect_iscsitarget.pl
/usr/share/eucalyptus/get_iscsitarget.pl
The STDERR output of these scripts is logged; you can add debug code to print information
to STDERR to see what happens during connection or disconnection operations.
The iscsiadm open-iscsi initiator command line tool can help you get the current status of
all the iSCSI connections in the system. For example:
iscsiadm -m session -P 3
Use the multipath command line tool to see multipathing status. For example:
multipath -ll -v 3
Cannot attach This can occur for a number of reasons. To diagnose this, try some of the following:
volumes
Make sure you can attach a volume without using multipathing.
Check your SAN-related system properties to see if you have set the correct values.
Use a single path for the NC; for example, set PARTITION.storage.ncpaths to something
like 192.168.25.182. If you specify an iface in your path, like iface0:192.168.25.182, also
make sure you have iface0 defined with STORAGE_INTERFACES in eucalyptus.conf
configuration file on the NC.
If you have no problem attaching a volume with a single path, the failure may be due to the
incorrect state of the Linux device mapper multipathing tool. Check if the multipathd service
is running on the NC hosts and if /etc/multipath.conf is installed and configured properly
(for example, copy the example configuration provided by Eucalyptus). Remember to set
user_friendly_names to yes in /etc/multipath.conf. You can try restarting multipathd
and/or reloading /etc/multipath.conf if you changed it previously. Run multipath -ll on
NC host and see if it returns reasonable output without any error.
Check that the PARTITION.storage.ncpaths configuration file entries are correct. A typo
can cause volume attach failures.
Make sure that the networking configuration is correct for the NC hosts. If you set the paths
without specific ifaces, check to see if you can connect to each IP in the path using default
network interface; otherwise, check each paths connectivity using a specific network interface.
Check network connectivity with all of the configured paths.
Check the nc.log log file for the string connect_iscsitarget. Examine the return results,
especially the stderr output.
Not all paths are Sometimes when you run multipath -ll on NC hosts after attaching a volume, you find that the
connected multipath device does not have all of the paths connected. In this case, the problem could be due
to one of the following:
There is a mistake in the paths in one of the PARTITION.storage.ncpaths entries. If one of
the paths specified in the system property is wrong, then it is possible that the specific path
can not be connected. Make sure you have all the paths specified correctly.
The missing paths are not valid networking paths, or have networking issues. For example,
when you ignore the iface part of a path, are you sure that the destination of the path (the IP

part of the path) can be connected via the default network interface? Or if you specified the
iface, are you sure you defined the iface in the eucalyptus.conf configuration file, and that
the destination can be connected with the specified network interface?
If the paths specified are all valid, but some of them do not have connectivity, try to ping each
of the specified paths on the NC hosts to check for connectivity. If there are connectivity issues,
contact your network administrator.
Snapshotting The Eucalyptus Storage Controller needs to attach a volume on the machine it runs so it can upload
failed to Walrus during an EC2 snapshot call. To help ensure maximum reliability for snapshotting, you
should use multipathing for the SC host; this is configured with the PARTITION.storage.scpaths
system property. When multipathing is enabled for the SC, if you see a snapshot failure, it may
be caused by multipathing. Techniques for diagnosing SC multipathing failures is similar to those
used for NC multipathing failures. In the case of SC multipathing failures, the logs are in
/var/log/eucalyptus/cloud-*.log, not nc.log, since the iSCSI connect scripts are invoked by
Java code.
NetApp Advanced Configuration

This section contains advanced configuration, best practices, and troubleshooting tips for the NetApp SAN provider.
NetApp Clustered Data ONTAP

A clustered ONTAP system consists of two or more individual NetApp storage controllers with attached disks. The
basic building block is the HA pair, a term familiar from Data ONTAP 7G or 7-Mode environments.
An HA pair consists of two identical controllers; each controller actively provides data services and has redundant cabled
paths to the other controllers disk storage.
One of the key differentiators in a clustered ONTAP environment is that multiple HA pairs are combined together into
a cluster to form a shared pool of physical resources available to applications. The shared pool appears as a single system
image for management purposes. This means there is a single common point of management, whether through GUI or
CLI tools, for the entire cluster. While the members of each HA pair must be the same controller type, the cluster can
consist of heterogeneous HA pairs. Each NetApp storage controller with in a cluster is also referred to as a node.
The primary logical cluster component is the Virtual Storage Server, known as Vserver. Clustered ONTAP supports
from one to hundreds of Vservers in a single cluster. A Vserver is configured for the client and host access protocols
(such as iSCSI). Each Vserver contains at least one volume and at least one logical interface. The accessing hosts and
clients connect to the Vserver using a logical interface (or LIF). LIFs present an IP address which will be used by iSCSI
hosts. Each LIF has a home port on a NIC or HBA. LIFs are used to virtualize the NIC and HBA ports rather than
mapping IP addresses or WWNs directly to the physical ports. Each Vserver requires its own dedicated set of LIFs, and
up to 128 LIFs can be defined on any cluster node.
Each Vserver consists of different volumes and LIFs, providing secure compartmentalized access. Although the volumes
and LIFs in each Vserver share the same physical resources (network ports and storage aggregates), a host or client can
only access the data in a Vserver through a LIF defined in that Vserver. Administrative controls make sure that a delegated
administrator with access to a Vserver can only see the logical resources assigned to that Vserver.
For more information on NetApp Clustered Data ONTAP, see Clustered Data ONTAP 8.1 and 8.1.1: An Introduction.
Eucalyptus integrates with NetApp Clustered ONTAP system by operating against a Vserver. SC must be configured
to operate against Vserver contained in the NetApp Clustered ONTAP environment. SCs in other Eucalyptus clusters
can be configured to use the same or different Vservers. SC and NC only interact with the configured Vserver and do
not communicate with the Clustered ONTAP interfaces directly.
Configurable NetApp SAN Properties

This topic lists the NetApp SAN-specific properties you can configure using euca-modify-property, along with
their valid values and Eucalyptus default values.

Note: The following configuration options are a subset of the Netapp SAN configuration parameters. Changing
these default values may cause storage operations to fail. Please proceed at your own risk. For more information
on NetApp configuration, please refer to the NetApp Data ONTAP 7G documentation and the NetApp Data
ONTAP 8G documentation (these links require you to register and login).
7-Mode and Cluster Mode Properties

The following table lists properties that are applicable to both 7-mode and cluster mode:
Eucalyptus Property Description Valid Values
<region>.storage.enablespacereservation LUN space reservation determines Default value: true

when space for the LUN is reserved or
allocated from the flex volume. With
reservations enabled the space is
subtracted from the volume total when
the LUN is created. If reservations are
disabled, space is first taken out of the
volume as writes to the LUN are
performed.
<region>.storage.enablededup Data deduplication removes duplicate Default value: false
blocks, storing only unique blocks of
data in the flex volume, and it creates
a small amount of additional metadata
in the process. It is disabled by default.
<region>.storage.enablecompression
must be false before disabling
deduplication.
<region>.storage.enablecompression Data compression is a software-based Default value: false
solution that provides transparent data
compression. It has the ability to run
either as an inline process as data is
written to disk or as a scheduled
process. Compression is disabled by
default. <region>.storage.enablededup
must be true before enabling data
compression.
<region>.storage.enableinlinecompression
must be false before disabling
compression.
<region>.storage.enableinlinecompression When data compression is configured Default value: false
for inline operation, data is compressed
in memory before it is written to disk.
It is disabled by default.
<region>.storage.enablecompression
must be true before enabling inline
compression.

<region>.storage.dedupschedule Schedule string for the dedup and or Default value: n/a
compression operation on flex
volumes.
<region>.storage.enablededup
must be true before configuring the
schedule. If the schedule is not
configured, NetApp applies a default
schedule to the flex volume. In
Cluster-Mode, either the schedule or
the policy can be configured for the
flex volume. Both cannot be
configured together. The format of the
schedule string is:
day_list@hour_list or
hour_list@day_list or - or auto.
day_list specifies which days of the
week the sis operation should run. It is
a comma-separated list of the first three
letters of the day: sun, mon, tue, wed,
thu, fri, sat. Day ranges such as mon-fri
can also be used. hour_list specifies
which hours of the day the sis
operation should run on each scheduled
day. hour_list is a comma-separated
list of the integers from 0 to 23. Hour
ranges such as 8-17 are allowed. Step
values can be used in conjunction with
ranges. If - is specified, no schedule
is set. The auto schedule string
means the sis operation will be
triggered by the amount of new data
written to the volume.
<region>.storage.lunostype The operating system of the host Default value: linux
accessing the LUN. This determines
Valid values: solaris,
the layout of the data on the LUN, the
Solaris_efi, windows,
geometry used to access that data, and
windows_gpt, windows_2008,
property offsets for the LUN to ensure
hpux, aix, linux, netware,
it is properly aligned with the upper
vmware, xen, or hyper_v
layers of the file system
<region>.storage.initiatorostype Operating system type of the Default value: linux
hypervisor hosting the instances.
Valid values: solaris, windows,
hpux, aix, linux, netware,
vmware, xen, or hyper_v
<region>.storage.fractionalreserve The percentage of space reserved for 0-100; default is 0

overwrites of reserved objects (LUNs
or files) in a volume.
<region>.storage.noatimeupdate Prevents the update of inode access "on" (default) or "off"
times when a file is read.

<region>.storage.tryfirst Determines if the volume size is "volume_grow" (default) or

increased before deleting snapshots if "snap_delete"
enableautosize property is "true".
<region>.storage.guarantee Controls space reservation for flexible "none", "file", or "volume" (default)
volumes. See the NetApp SDK
documentation for more information.
<region>.storage.enableautosize Toggles the flex volume autosize "true" (default) or "false"
feature.
<region>.storage.volautosizemaxmultiplier Flex volume's maximum size allowed, Integer >= 1; default is 3
specified as a multiple of the original
size
<region>.storage.volautosizeincrementinmb Flex volume's increment size in Integer >= 1; default is 256
megabytes.
<region>.storage.snappercent Additional space reserved on the flex Integer >= 0; default is 0
volume to store automatic and manual
snapshots created outside of
Eucalyptus. The amount of space to be
reserved is specified as a percentage
of the flex volume.
<region>.storage.aggregate Aggregates that can be used to create Comma-separated string
and manage volumes and snapshots. If
a list of aggregates is configured,
Eucalyptus will pick one based on
<region>.storage.uselargestaggregate
strategy. If no aggregate is provided
Eucalyptus will query the NetApp
SAN for available aggregates and
choose one based
<region>.storage.uselargestaggregate
strategy.
<region>.storage.uselargestaggregate If set to true Eucalyptus will pick the "true" (default) or "false"
largest available aggregate from a list
of aggregates. If set to false the
smallest available aggregate will be
chosen.
7-Mode Properties
The following properties are specific to 7-mode:
<region>.storage.convertucode Setting this option to "on" forces "on" (default) or "off"

conversion of all directories to
UNICODE format when accessed from
both NFS and CIFS.
<region>.storage.createucode Setting this option to "on" forces "on" (default) or "off"
UNICODE format directories to be
created by default from NFS and CIFS.

<region>.storage.snapschedweeks Number of weekly snapshots to keep Integer >= 0; default is 0

online.
<region>.storage.snapscheddays Number of daily snapshots to keep Integer >= 0; default is 0
online.
<region>.storage.snapschedhours Number of hourly snapshots to keep Integer >= 0; default is 0
online.
<region>.storage.nosnap Disable automatic snapshots. If set to "true" (default) or "false"
true, snapshot scheduling properties
<region>.storage.snapschedweeks and
<region>.storage.snapscheddays and
<region>.storage.snapschedhours are
ignored, and the SC transmits the
default value (0) in their place to the
NetApp SAN.
Cluster Mode Properties

The following properties are cluster mode specific:
<region>.storage.snapshotpolicy Snapshot retention policy determines String; default is "none"

how long the scheduled snapshots in
the reserve are kept before being
deleted automatically. This applies to
automatic snapshots only.
<region>.storage.autosnapshots Disable automatic snapshots. If set to "true" (default) or "false"
false snapshot scheduling policy
defined by
<region>.storage.snapshotpolicy is
igonred and SC transmitts the default
value (none) in its place to the
NetApp SAN.
<region>.storage.deduppolicy Name of the sis policy to be attached Default value: n/a
to flex volumes in cluster-mode.
<region>.storage.enablededup must be
true before configuring the policy.
Either the schedule or the policy can
be configured for the flex volume.
Both cannot be configured together.
<region>.storage.portset Name of the portset to bind to an Default value: n/a
igroup in cluster-mode. Port sets are
collections of iSCSI ports/LIFs. A port
set can be used to restrict access to the
LUN by making it visible only through
target ports that are contained in the
port set definition.

Eucalyptus | Index | 108
Index
A cloud (continued)
storage volumes 17
access 27, 4546 best practices 17
IAM 27 synchronizing clocks 13
types of 27 timestamp expiration 13
use case 4546 vSphere 12
access tasks 44, 4760 working with 12
accounts 4749 cloud tasks 1923
add an account 47 add a Node Controller 21
approve an account 48 evacuate a Node Controller 21
delete an account 49 inspect system health 19
list all 49 list arbitrators 20
reject an account 48 list of 19
rename an account 48 migrate instances 21
credentials 5859 remove a Node Controller 22
generate 58 restart Eucalyptus 22
get administrator credentials 59 shut down Eucalyptus 23
retrieve existing 58 view user resources 20
upload a certificate 59 configuration 74
groups 5053 iptables 74
add a policy 51 configuring 100
create a group 50 credentials 28
delete a group 53
list all 52
list policies 53
E
modify a group 51 Eucalyptus 5
remove user 52 accessing 5
LDAP/AD 59 CLI 5
synchronize 59 Eucalyptus Administrator Console 5
LIC file 5960 overview 5
start 59
upload 60
list of 44 I
users 5457
image tasks 18
add a user 54
caching 18
add a user to group 55
create login profile 55
delete a user 57 S
list all 57
modify a user 56 SSL 71
account 28 Admin Console 71
create 28
T
C
troubleshooting 101
cloud 9, 1214, 17 multipathing 101
best practices 12, 14
high availability in 14 U
overview 9
securing 13 user identities 27

Admin-Guide-3 4 2

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Admin-Guide-3 4 2

Hochgeladen von

Copyright:

Verfügbare Formate

Eucalyptus 3.4.

2014-02-23 Eucalyptus Systems

Manage Your Cloud..................................................................................................9

Reporting Tasks: CLC.............................................................................................................................79

Advanced Storage Configuration........................................................................100

Command Line Interface

Eucalyptus Administrator Console Overview

CC-BY-SA, Eucalyptus Systems, Inc.

Signing in to the Eucalyptus Administrator Console

4. Enter your user name in the User field.

Understanding the Eucalyptus Administrator Console

CC-BY-SA, Eucalyptus Systems, Inc.

CC-BY-SA, Eucalyptus Systems, Inc.

Type Name Description Fields

start Start page None

policy Eucalyptus policies account, user, group, name, id,

user:account=testaccount name=user1,user2 enabled=true

CC-BY-SA, Eucalyptus Systems, Inc.

Manage Your Cloud

CC-BY-SA, Eucalyptus Systems, Inc.

Networking Configuration Options

Option Description Modes

VNET_ADDRESSPERNET This option controls how many VM instances can Managed,

defines a netmask of 255.255.0.0 that uses 16 bits of the

CC-BY-SA, Eucalyptus Systems, Inc.

Option Description Modes

VNET_DHCPDAEMON The ISC DHCP executable to use. This is set to a Static

VNET_DNS The address of the DNS server to supply to instances in Static

VNET_LOCALIP By default the CC automatically determines which IP Managed

CC-BY-SA, Eucalyptus Systems, Inc.

Option Description Modes

VNET_PUBLICIPS A space-separated list of individual and/or hyphenated Managed

Cloud Best Practices

Working with vSphere

Actions that may be performed with vSphere tools at any time

CC-BY-SA, Eucalyptus Systems, Inc.

Actions to avoid with vSphere tools at all times:

Securing Your Cloud

CC-BY-SA, Eucalyptus Systems, Inc.

the same signatures are accepted is controlled by the bootstrap.webservices.replay_skew_window_sec

openssl pkcs12 -export -in [YOURCERT.crt] -inkey [YOURKEY.key] \

Enable the Cloud Controller to use this keystore

Restart the CLC by running service eucalyptus-cloud restart or /etc/init.d/eucalyptus-cloud

iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8773

CC-BY-SA, Eucalyptus Systems, Inc.

Understanding Service State

State Operational In use by system Description

ENABLED Yes Yes Service is operating correctly

CC-BY-SA, Eucalyptus Systems, Inc.

Based on the collected service state, the system will:

Understanding System Availability

Component Scope (Fault Region) Description

Cloud Controller Cloud The CLC is a cloud-wide service and

CC-BY-SA, Eucalyptus Systems, Inc.

Component Scope (Fault Region) Description

VMware Broker Availability Zone VMware Broker are associated with a

A quick way to evaluate system availability is to determine whether:

CC-BY-SA, Eucalyptus Systems, Inc.

Caching Images on the Cluster Controller

b) Set CC_IMAGE_PROXY_PATH to point to the location of the image cache.

c) Set CC_IMAGE_PROXY_CACHE_SIZE to the maximum size of the image cache.

Important: Setting CC_IMAGE_PROXY_CACHE_SIZE to 0 will cause any attempts to create an

3. Perform a restart of the cluster controller.